On 09/05/2014 11:27 AM, Monty Taylor wrote: > Hi! > > I've decided that as I have problems with OpenStack while using it in the > service of Infra, I'm going to just start spamming the list. > > Please make something like this: > > neutron security-group-create default --allow-every-damn-thing
Does this work? Sure, it's a rule in the default group and not a group itself, but it's a one-liner: $ neutron security-group-rule-create --direction ingress --remote-ip-prefix 0.0.0.0/0 default > Right now, to make security groups get the hell out of our way because they do > not provide us any value because we manage our own iptables, it takes adding > something like 20 rules. > > 15:24:05 clarkb | one each for ingress and egress udp tcp over ipv4 > then ipv6 and finaly icmp I guess you mean 20 rules because there's services using ~20 different ports, which sounds about right. If you really didn't care you could have just opened all of ICMP, TCP and UDP with three rules. And isn't egress typically wide-open by default? You shouldn't need any rules there. And I do fall in the "more security" camp - giving someone a publicly-routable IP address with all ports open is not typically a good idea, I wouldn't want to hear the complaints from customers on that one... -Brian _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
