Hi Israel, please find my answers inline. I'm not really an expert in this area, but I hope these answers are helpful, and, hopefully, correct!
Salvatore On 15 June 2014 14:55, Israel Ziv <[email protected]> wrote: > Hi! > > Please let me know if I’ve reached the proper group. > > I am going through neutron’s code and have a few questions. > > > > 1. I understood that > > a. ‘securitygroups’ enables intra-subnet “firewall” and is aimed to > allow/deny traffic between tenants. > This is kind of correct. However, rather than "intra-subnet" I would say that the firewall rules are enforced at the port level - and they're obviously not just for allowing or deny traffic among tenants, as they allow to express a wide variety of rules. Another thing to note is that security group rules' action always is ALLOW - and they're enforced on a baseline default DENY ALL policy > b. ‘FWaaS’ enables inter-subnet “firewall” and is aimed to > allow/deny traffic within tenant. > This is correct too, but as before I would point out that the real difference is that these rules are enforced at the router level. Also the nature of the rule is different as the associated actions can be either ALLOW or DENY. > c. Did I understand correctly? > > 2. Does a securitygroup rule generation have effect on the > perimeter firewall of the cloud? > > If by perimeter you mean the 'edge' of cloud, ie: where your router's gateway ports are plugged, then I would say no. However, I don't remember whether security group rules are enforced on external networks as well; and also I'm not sure security groups are the right abstraction in that case. > > > Regards > > Israel Ziv > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
