[openstack-dev] [Quantum] Spec of Security Group implementation
Nachi Ueno
nachi at nttmcl.com
Tue Nov 27 22:34:51 UTC 2012
Hi Aaron, Akihiro, Gary
I would like to ask your opinion about the security group specs.
[Discussion 1] security group rule applied for port for network:* ports?
- Dhcp port (looks not needed)
- Router port ( I could see many usecases, but this may be implemented as a
service extension such as VPM)
IMO, if we take this limitation, these limitation should be done in
securitygroups_db class.
[Discussion 2] Security groups for external networks
I could see use cases here. ( limit outbound or inbound connections)
However may be different default setting needed.
Allow all traffic here ?
[Discussion 3] Default filtering rule
IMO, we should update definition of wiki considering some
provider specified rules.
Egress
-p udp --sport 68 --dport 67 -d 255.255.255.0 -j RETRUN
-p udp --sport 68 --dport 67 -d $DHCP_IP -j RETRUN
-m mac --mac-source !$PORT_MAC -j DROP (arp spoofing)
-s !$PORT_FIXED_IPS -j DROP (ip spoofing)
-p udp --sport 67 --dport 68 -J DROP (disallow dhcp)
- if no there are no egress rule, all egress traffic allowed except
above rules
Ingress
-p udp --sport 68 --dport 67 -s $DHCP_IP -j RETURN
Thanks
Nachi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121127/304d53d9/attachment.html>
More information about the OpenStack-dev
mailing list