[Openstack] FWaaS vs Security Groups

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Oct 28 21:19:56 UTC 2013


Cool! Thanks!!


On 28 October 2013 19:16, Aaron Rosen <arosen at nicira.com> wrote:

> Hi Thiago,
>
> Current, FWaaS only manages what's allowed in and out on router ports.
> Security profiles are applied to instances ports directly.
>
> FYI: The current FWaaS API is somewhat experimental and policy applies
> globally to all the routers a tenant owns (i.e: no zone concept yet).
>
> Aaron
>
>
> On Mon, Oct 28, 2013 at 1:58 PM, Martinx - ジェームズ <
> thiagocmartinsc at gmail.com> wrote:
>
>> Guys,
>>
>> I'm trying to figure out the main differences between FWaaS and "Security
>> Groups".
>>
>>
>> * Does it complement each other? Or is FWaaS a "Security Groups"
>> replacement...?
>>
>> * Can FWaaS manage the "Tenant Namespace Router NAT Table"?
>>
>> * Does FWaaS manage the same iptables/ip6tables tables at L3 Namespace
>> router in which the "Security Groups" already manages too?
>>
>>
>> For example, two commands to do (almost) the same thing? Like this:
>>
>> Open TCP port 80:
>>
>> FWaaS:
>>
>> neutron firewall-rule-create --protocol tcp --destination-port 80 --action allow
>>
>>
>> Security Groups:
>>
>> neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 <security_group_uuid>
>>
>>
>> I'm a bit confused about the aims and proposals of each approach /
>> project...
>>
>> Thanks!
>> Thiago
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/354a6418/attachment.html>


More information about the Openstack mailing list