subject:"Re\: \[Openstack\] security group rules"

Re: [Openstack] security group rules

2016-04-11 Thread Sławek Kapłoński

Hello,

To be little bit more precise it allows AFAIK ingress from all instances 
(ports) which have got same security group.

-- 
Pozdrawiam / Best regards
Sławek Kapłoński
sla...@kaplonski.pl

Dnia poniedziałek, 11 kwietnia 2016 21:32:55 CEST Remo Mattei pisze:
> it says default not 0/0 which is not from anywhere.
> 
> So that applies only for the local network (default)
> 
> > On Apr 11, 2016, at 21:15, Jagga Soorma  wrote:
> > 
> > Hi Guys,
> > 
> > There is a default security group rule that has the following entry:
> > 
> > --
> > Direction: Ingress
> > Ether Type: IPv4
> > IP Protocol: Any
> > Port Range: Any
> > Remote Prefix: -
> > Remote Security Group: default
> > --
> > 
> > Now this makes me think that it should basically allow all ingress ipv4
> > traffic (udp & tcp) on any port.  However we have to manually open up ssh
> > for example by adding another rule for port 22 and remote prefix of
> > 0.0.0.0/0 .  Not sure what a - in the remote prefix
> > means and why is this rule even there if it does nothing.  Any help
> > understanding this would be appreciated.
> > 
> > Thanks.
> > 
> > !DSPAM:1,570c4ff2121991933018292!
> > ___ Mailing list:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to
> > : openstack@lists.openstack.org
> > Unsubscribe :
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > 
> > 
> > !DSPAM:1,570c4ff2121991933018292!

signature.asc
Description: This is a digitally signed message part.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] security group rules

2016-04-11 Thread rezroo

In neutron a security group rule can have different types of "remote" - 
either a CIDR or another security group.


The rule means that your "remote" is another security group - so any VM 
in security group "default" can reach any port in this security group - 
so "default" has opened all its ports to members of "default.


Reza

On 4/11/2016 6:15 PM, Jagga Soorma wrote:

Hi Guys,

There is a default security group rule that has the following entry:

--
Direction: Ingress
Ether Type: IPv4
IP Protocol: Any
Port Range: Any
Remote Prefix: -
Remote Security Group: default
--

Now this makes me think that it should basically allow all ingress 
ipv4 traffic (udp & tcp) on any port.  However we have to manually 
open up ssh for example by adding another rule for port 22 and remote 
prefix of 0.0.0.0/0 . Not sure what a - in the 
remote prefix means and why is this rule even there if it does 
nothing.  Any help understanding this would be appreciated.


Thanks.



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] security group rules

2016-04-11 Thread Remo Mattei

it says default not 0/0 which is not from anywhere. 

So that applies only for the local network (default) 
> On Apr 11, 2016, at 21:15, Jagga Soorma  wrote:
> 
> Hi Guys,
> 
> There is a default security group rule that has the following entry:
> 
> --
> Direction: Ingress
> Ether Type: IPv4
> IP Protocol: Any
> Port Range: Any
> Remote Prefix: -
> Remote Security Group: default
> --
> 
> Now this makes me think that it should basically allow all ingress ipv4 
> traffic (udp & tcp) on any port.  However we have to manually open up ssh for 
> example by adding another rule for port 22 and remote prefix of 0.0.0.0/0 
> .  Not sure what a - in the remote prefix means and why is 
> this rule even there if it does nothing.  Any help understanding this would 
> be appreciated.
> 
> Thanks.
> 
> !DSPAM:1,570c4ff2121991933018292! 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> !DSPAM:1,570c4ff2121991933018292!

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Security group rules not propagating to instances

2013-12-15 Thread Matt Kassawara

For some reason, this issue disappeared after not touching the installation
for several days.  However, the following warning appears in Neutron
server.log on the controller shortly after launching an instance:

2013-12-15 14:15:59.454 7385 WARNING neutron.db.agentschedulers_db [-] Fail
scheduling network {'status': u'ACTIVE', 'subnets':
[u'96675551-1c86-4e1b-a4e7-31b542e8b27b'], 'name': u'demo-net',
'provider:physical_network': None, 'admin_state_up': True, 'tenant_id':
u'401882b1b653413aa41e21971d1b2c27', 'provider:network_type': u'gre',
'router:external': False, 'shared': False, 'id':
u'c095696e-6b0e-488f-bfdd-c81121137814', 'provider:segmentation_id': 2L}



On Sun, Dec 15, 2013 at 6:13 AM, 郭龙仓 guolongcang.w...@gmail.com wrote:

 Have you checked the l2-agent's log --   /var/log/neutron/openvswitch-
 agent.log


 2013/12/14 Matt Kassawara mkassaw...@gmail.com

 Hmm, that looks more like a nova-net issue than a neutron issue.


 On Fri, Dec 13, 2013 at 6:07 PM, John Smith lbalba...@gmail.com wrote:

 On Sat, Dec 14, 2013 at 1:45 AM, Matt Kassawara mkassaw...@gmail.com
 wrote:
  Hmm... anyone else experienced this problem?
 
 Dont know. Is it anything like this ?:
 https://bugs.launchpad.net/nova/+bug/1257875



 ___
 Mailing list:
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
 Post to : openstack@lists.openstack.org
 Unsubscribe :
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Security group rules not propagating to instances

2013-12-13 Thread Matt Kassawara

Hmm, that looks more like a nova-net issue than a neutron issue.


On Fri, Dec 13, 2013 at 6:07 PM, John Smith lbalba...@gmail.com wrote:

 On Sat, Dec 14, 2013 at 1:45 AM, Matt Kassawara mkassaw...@gmail.com
 wrote:
  Hmm... anyone else experienced this problem?
 
 Dont know. Is it anything like this ?:
 https://bugs.launchpad.net/nova/+bug/1257875

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] security group rules

Re: [Openstack] security group rules

Re: [Openstack] security group rules

Re: [Openstack] Security group rules not propagating to instances

Re: [Openstack] Security group rules not propagating to instances

5 matches

Site Navigation

Mail list logo

Footer information