Inline... ~Sumit.
On Sun, Jun 15, 2014 at 9:25 AM, Salvatore Orlando <sorla...@nicira.com> wrote: > Hi Israel, > > please find my answers inline. > I'm not really an expert in this area, but I hope these answers are helpful, > and, hopefully, correct! > > Salvatore > > > On 15 June 2014 14:55, Israel Ziv <israel....@huawei.com> wrote: >> >> Hi! >> >> Please let me know if I’ve reached the proper group. >> >> I am going through neutron’s code and have a few questions. >> >> >> >> 1. I understood that >> >> a. ‘securitygroups’ enables intra-subnet “firewall” and is aimed to >> allow/deny traffic between tenants. > > This is kind of correct. However, rather than "intra-subnet" I would say > that the firewall rules are enforced at the port level - and they're > obviously not just for allowing or deny traffic among tenants, as they allow > to express a wide variety of rules. > Another thing to note is that security group rules' action always is ALLOW - > and they're enforced on a baseline default DENY ALL policy >> >> b. ‘FWaaS’ enables inter-subnet “firewall” and is aimed to allow/deny >> traffic within tenant. > > This is correct too, but as before I would point out that the real > difference is that these rules are enforced at the router level. Also the > nature of the rule is different as the associated actions can be either > ALLOW or DENY. >> Also, the fact the FWaaS rules are applied on the Neutron router is an artifact of the reference implementation. The FWaaS model itself is independent of where/how the firewall/rules are realized. >> c. Did I understand correctly? >> >> 2. Does a securitygroup rule generation have effect on the perimeter >> firewall of the cloud? > > If by perimeter you mean the 'edge' of cloud, ie: where your router's > gateway ports are plugged, then I would say no. However, I don't remember > whether security group rules are enforced on external networks as well; and > also I'm not sure security groups are the right abstraction in that case. > >> >> >> >> Regards >> >> Israel Ziv >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev