Thanks for the pointer Slawek!

I am wondering if the OP is thinking of security groups, and if so that is through an ML2 plugin mechanism on the switch level configuration, however.... very few ML2 plugins have supported applying security groups to switches because the translation can be difficult or the switches don't support packet inspection without performance degradation.



On Fri, Jun 30, 2023 at 12:27 AM Slawek Kaplonski <skaplons@redhat.com> wrote:

Hi,


Dnia czwartek, 29 czerwca 2023 19:08:30 CEST Karl Kloppenborg pisze:

> Hi Team,

>

> We have Ironic deployed and configured to deploy baremetal on vlans attached to the neutron routers of a tenancy/project.

>

> However, when assigned a floating IP, there’s no firewall and the server is completely exposed.

>

> I cannot seem to see any information on Ironic Firewall’s, how are others achieving this?

>

> Any suggestions would be greatly appreciated.

>

> Thanks,

> Karl Kloppenborg.

> Openstack-Helm Team.

>


For firewall on the Neutron's router level there is neutron-fwaas project [1]. Did You checked that?


[1] https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html


--

Slawek Kaplonski

Principal Software Engineer

Red Hat