[Openstack-operators] Small openstack
Kris G. Lindgren
klindgren at godaddy.com
Sat Jan 10 01:10:29 UTC 2015
George,
>From past experience you can not have both nova and neutron security
groups enabled at the same time.
If you use nova security groups - then I believe they have the appropriate
stuff in place to prevent the arp spoofing and other associated stuff.
However - if you want the ability to apply egress filtering and something
else (its been a while) then you need to use neutron security groups. If
you use neutron security groups - you must disable the nova security
groups.
I am trying to remember the exact issue, but I remember what effectively
happened is you could cause a condition in which no security groups were
being enforced. I think this was because of the order of rules being
applied in iptables itself - if a service was restarted (nova-compute or
the neutron-openvswitch-agent) it would insert its own rules at the top of
the chain ahead of the other service - which actually had the filtering
rules. Which would result in the no filtering actually taking place.
If someone has this working and I am wrong on this - please let me know
what your working configuration is.
____________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
On 1/9/15, 5:26 PM, "George Shuklin" <george.shuklin at gmail.com> wrote:
>On 01/09/2015 09:25 PM, Kris G. Lindgren wrote:
>> Also, If you are running this configuration you should be aware of the
>> following bug:
>>
>> https://bugs.launchpad.net/neutron/+bug/1274034
>>
>> And the corresponding fix: https://review.openstack.org/#/c/141130/
>>
>> Basically - Neutron security group rules do nothing to protect against
>>arp
>> spoofing/poisoning from vm's. So its possible under a shared network
>> configuration for a vm to arp for another vm's ip address and
>>temporarily
>> knock that vm offline. The above commit - which is still a WIP adds
>> ebtable rules to allow neutron to filter protocols other than IP (eg
>>arp).
>Thank you!
>
>I just done playing with private networks (as external networks) and
>start to tuning internet network. And I saw something strange when I was
>doing a pentest from one of the instance. I'm going to check each thing
>from list in the bug description.
>
>But I thought that security groups, antispoofing and other things are
>nova-driven?
>
>
>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
More information about the OpenStack-operators
mailing list