On 09/05/2014 11:27 AM, Monty Taylor wrote:
> Hi!
> I've decided that as I have problems with OpenStack while using it in the
> service of Infra, I'm going to just start spamming the list.
> Please make something like this:
> neutron security-group-create default --allow-every-damn-thing

Does this work?  Sure, it's a rule in the default group and not a group itself,
but it's a one-liner:

$ neutron security-group-rule-create --direction ingress --remote-ip-prefix default

> Right now, to make security groups get the hell out of our way because they do
> not provide us any value because we manage our own iptables, it takes adding
> something like 20 rules.
> 15:24:05          clarkb | one each for ingress and egress udp tcp over ipv4
> then ipv6 and finaly icmp

I guess you mean 20 rules because there's services using ~20 different ports,
which sounds about right.  If you really didn't care you could have just opened
all of ICMP, TCP and UDP with three rules.

And isn't egress typically wide-open by default?  You shouldn't need any rules

And I do fall in the "more security" camp - giving someone a publicly-routable
IP address with all ports open is not typically a good idea, I wouldn't want to
hear the complaints from customers on that one...


OpenStack-dev mailing list

Reply via email to