Hi Yong, By default there should be two ingress rules that allow ports within the same security group to communicate https://github.com/openstack/quantum/blob/master/quantum/db/securitygroups_db.py#L125
The quantum security group rules should follow inline with this: These are the basic characteristics of VPC security groups: - You can specify *allow* rules, but not *deny* rules. - You can specify inbound rules and separate outbound rules. - By default, no ingress is allowed into a security group until you add inbound rules to the group. - By default, all egress is allowed from the security group until you add outbound rules to the group (then only the egress you specified is allowed). - Responses to allowed inbound traffic are allowed to egress regardless of outbound rules, and vice versa (security groups are therefore *stateful* ). - Instances in a group can't talk to each other unless you add rules allowing it (exception: instances in the default security group have these rules by default). - After you launch an instance, you can change which security groups the instance is in. --- http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html Aaron On Tue, Dec 11, 2012 at 7:51 PM, gong yong sheng <[email protected] > wrote: > Hi arosen, > you told me that: > arosen> gongysh: by default , the default security group that ports are a > part of should allow all outgoing traffic but no incoming traffic. It > should also allow communication betweens ports that are in the same default > security group. > > but why the default rules in default security group are empty ingress > rules: > > +--------------------------------------+--------------------------------------+-----------+----------+------------------+--------------------------------------+ > | id | > security_group_id | direction | protocol | > source_ip_prefix | source_group_id | > > +--------------------------------------+--------------------------------------+-----------+----------+------------------+--------------------------------------+ > | 05c21e84-92e2-449f-b483-9339e800843a | > 34b25361-ce71-4e59-b6d5-53c7111ce219 | ingress | > | | 34b25361-ce71-4e59-b6d5-53c7111ce219 | > | 334b3be4-782a-40e3-9461-ebda2cfb6c28 | > 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | ingress | icmp > | | | > | 3829a787-53f6-459e-af1f-20172820958e | > beb3a1d9-64ea-4634-a5e4-c3d1fd9ad9d0 | ingress | > | | beb3a1d9-64ea-4634-a5e4-c3d1fd9ad9d0 | > | 54bdf2ce-15e5-479d-aed8-86f05da64b91 | > beb3a1d9-64ea-4634-a5e4-c3d1fd9ad9d0 | ingress | > | | beb3a1d9-64ea-4634-a5e4-c3d1fd9ad9d0 | > | 810ce2fa-f322-415f-8173-7191b62a09fd | > 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | ingress | > | | 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | > | 88f98b6a-5284-400c-bcef-931cb51bced0 | > 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | ingress | > | | 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | > | 98651af6-0750-4c3d-9f0b-da63061677a6 | > 6a0ffb7d-a877-44e8-bac5-712dd7b3dd02 | ingress | icmp > | | 34b25361-ce71-4e59-b6d5-53c7111ce219 | > | b8ffa5d7-d3d0-4f76-8e5c-0efa3943d0b4 | > e8bda381-ed18-456d-a2f5-99182896c371 | ingress | > | | e8bda381-ed18-456d-a2f5-99182896c371 | > | bbed317e-5632-4744-bea3-a541d01096df | > e8bda381-ed18-456d-a2f5-99182896c371 | ingress | > | | e8bda381-ed18-456d-a2f5-99182896c371 | > | d9983063-de2e-4da5-9f0b-68d315b78ad6 | > e8bda381-ed18-456d-a2f5-99182896c371 | ingress | icmp > | | | > | f6425925-f289-40b6-931d-dcf2851af9ec | > 34b25361-ce71-4e59-b6d5-53c7111ce219 | ingress | > | | 34b25361-ce71-4e59-b6d5-53c7111ce219 | > > +--------------------------------------+--------------------------------------+-----------+----------+------------------+--------------------------------------+ > > Thanks > Yong Sheng Gong >
-- Mailing list: https://launchpad.net/~quantum-core Post to : [email protected] Unsubscribe : https://launchpad.net/~quantum-core More help : https://help.launchpad.net/ListHelp
