[openstack-dev] [Neutron] [FWaaS] [sequritygroup] [Development]

Salvatore Orlando sorlando at nicira.com
Sun Jun 15 16:25:23 UTC 2014


Hi Israel,

please find my answers inline.
I'm not really an expert in this area, but I hope these answers are
helpful, and, hopefully, correct!

Salvatore


On 15 June 2014 14:55, Israel Ziv <israel.ziv at huawei.com> wrote:

>  Hi!
>
> Please let me know if I’ve reached the proper group.
>
> I am going through neutron’s code and have a few questions.
>
>
>
> 1.       I understood that
>
> a.       ‘securitygroups’ enables intra-subnet “firewall” and is aimed to
> allow/deny traffic between tenants.
>
This is kind of correct. However, rather than "intra-subnet" I would say
that the firewall rules are enforced at the port level - and they're
obviously not just for allowing or deny traffic among tenants, as they
allow to express a wide variety of rules.
Another thing to note is that security group rules' action always is ALLOW
- and they're enforced on a baseline default DENY ALL policy

>  b.      ‘FWaaS’ enables inter-subnet “firewall” and is aimed to
> allow/deny traffic within tenant.
>
This is correct too, but as before I would point out that the real
difference is that these rules are enforced at the router level. Also the
nature of the rule is different as the associated actions can be either
ALLOW or DENY.

>  c.       Did I understand correctly?
>
> 2.       Does a securitygroup rule generation have effect on the
> perimeter firewall of the cloud?
>
> If by perimeter you mean the 'edge' of cloud, ie: where your router's
gateway ports are plugged, then I would say no. However, I don't remember
whether security group rules are enforced on external networks as well; and
also I'm not sure security groups are the right abstraction in that case.


>
>
> Regards
>
> Israel Ziv
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140615/30ee1a50/attachment.html>


More information about the OpenStack-dev mailing list