[Openstack] FWaaS vs Security Groups

Aaron Rosen arosen at nicira.com
Mon Oct 28 21:16:38 UTC 2013


Hi Thiago,

Current, FWaaS only manages what's allowed in and out on router ports.
Security profiles are applied to instances ports directly.

FYI: The current FWaaS API is somewhat experimental and policy applies
globally to all the routers a tenant owns (i.e: no zone concept yet).

Aaron


On Mon, Oct 28, 2013 at 1:58 PM, Martinx - ジェームズ
<thiagocmartinsc at gmail.com>wrote:

> Guys,
>
> I'm trying to figure out the main differences between FWaaS and "Security
> Groups".
>
>
> * Does it complement each other? Or is FWaaS a "Security Groups"
> replacement...?
>
> * Can FWaaS manage the "Tenant Namespace Router NAT Table"?
>
> * Does FWaaS manage the same iptables/ip6tables tables at L3 Namespace
> router in which the "Security Groups" already manages too?
>
>
> For example, two commands to do (almost) the same thing? Like this:
>
> Open TCP port 80:
>
> FWaaS:
>
> neutron firewall-rule-create --protocol tcp --destination-port 80 --action allow
>
>
> Security Groups:
>
> neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 <security_group_uuid>
>
>
> I'm a bit confused about the aims and proposals of each approach /
> project...
>
> Thanks!
> Thiago
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/4ea6c7ba/attachment.html>


More information about the Openstack mailing list