[openstack-dev] [Quantum] Spec of Security Group implementation

Nachi Ueno nachi at nttmcl.com
Tue Nov 27 22:34:51 UTC 2012


Hi Aaron, Akihiro, Gary

I would like to ask your opinion about the security group specs.

[Discussion 1]  security group rule applied for port for network:* ports?

- Dhcp port (looks not needed)
- Router port ( I could see many usecases, but this may be implemented as a
service extension such as VPM)

IMO, if we take this limitation, these limitation should be done in
securitygroups_db class.

[Discussion 2] Security groups for external networks
I could see use cases here. ( limit outbound or inbound connections)
However may be different default setting needed.
Allow all traffic here ?

[Discussion 3] Default filtering rule
IMO, we should update definition of wiki considering some
provider specified rules.


Egress
-p udp --sport 68 --dport 67 -d 255.255.255.0 -j RETRUN
-p udp --sport 68 --dport 67 -d $DHCP_IP -j RETRUN
-m mac --mac-source !$PORT_MAC -j DROP (arp spoofing)
-s !$PORT_FIXED_IPS -j DROP (ip spoofing)
-p udp --sport 67 --dport 68 -J DROP (disallow dhcp)

   - if no there are no egress rule, all egress traffic allowed except
   above rules

Ingress
-p udp --sport 68 --dport 67 -s $DHCP_IP -j RETURN


Thanks
Nachi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121127/304d53d9/attachment.html>


More information about the OpenStack-dev mailing list