<div dir="ltr"><div><div><div>hi Lori:<br></div><br></div>so far as I know, FWaaS driver is currently using linux iptables in the L3agent namespace, so the FWaaS only affects traffic to or from the subnet gateway, if two tenants share the same router, I think the inter-tenant traffic will be monitored by FWaaS iptables drivers.<br>
</div><div><br><br>Chain neutron-l3-agent-FORWARD (1 references)<br> pkts bytes target prot opt in out source destination <br> 108 5856 neutron-l3-agent-iv46e4852c5 all -- * qr-+ <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
293 17028 neutron-l3-agent-ov46e4852c5 all -- qr-+ * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> 0 0 neutron-l3-agent-fwaas-defau all -- * qr-+ <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
0 0 neutron-l3-agent-fwaas-defau all -- qr-+ * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> </div><div class="gmail_extra"><br>Liu Wenmao<br clear="all">
<br><br><div class="gmail_quote">On Wed, Nov 27, 2013 at 9:56 AM, Lorin Hochstein <span dir="ltr"><<a href="mailto:lorin@nimbisservices.com" target="_blank">lorin@nimbisservices.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Salvatore:<br><div><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Mon, Nov 25, 2013 at 2:02 PM, Salvatore Orlando <span dir="ltr"><<a href="mailto:sorlando@nicira.com" target="_blank">sorlando@nicira.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Lorin,<div>I think yours is a very good question; I am afraid I am not able to provide a straight answer regarding in which cases one service should be preferred to the other.<br>
</div><div><br></div><div>
Technically the difference would be that a firewall rule is enforced only at the edge of your network, and is therefore not enforced for intra-tenant and inter-tenant traffic, whereas a security group rule is enforced on every port where the security group applies.</div>
<div> </div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>As an example, one could use a security group to allow traffic on ports 80 and 443 on all instances regardless of the source security group, and a firewall rule to block access to port 80 from external sources. The result would be that HTTP would be open for 'internal' traffic whereas only HTTPS would be available for externally-generated traffic.</div>
</div></blockquote></div><div><br><div>Can you confirm that the FWaaS rules won't apply to inter-tenant traffic? In a public cloud situation I would think an end-user would expect tenant isolation: traffic from other tenants to be treated the same way as external traffic.<span class=""><font color="#888888"><br>
</font></span></div><span class=""><font color="#888888"><br></font></span></div><span class=""><font color="#888888"><div>Lorin<br></div></font></span></div><div class="im"><br>-- <br><div dir="ltr">Lorin Hochstein<br><div>
Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="http://www.nimbisservices.com" target="_blank">www.nimbisservices.com</a></div>
</div>
</div></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div></div>