[rhos-list] Quantum security group egress
Maru Newby
marun at redhat.com
Mon Jul 8 17:45:10 UTC 2013
On Jul 8, 2013, at 1:33 PM, Perry Myers <pmyers at redhat.com> wrote:
> On 07/04/2013 07:03 AM, Ofer Blaut wrote:
>> Hi
>>
>> By default egress security group is allow all.
>>
>> http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html
>>
>> Since there are no deny actions, i expect once first egress rule is applied, all other traffic will be dropped
>>
>> I have tried it with add SSH to egress still ping worked
>>
>> http://pastebin.test.redhat.com/150744
>
> Ofer,
>
> So what you're saying is that there should be a deny all rule added once
> the user adds the first real egress rule.
If a user wants to manage egress traffic, the first step is removing the default 'allow all egress' rule. This is by design, and there would be need to be a good reason (convenience is not it) for it to be changed.
m.
>
> Otherwise the egress rules serve no purpose really...
>
> That seems to make sense to me. What do the neutron folks think?
>
> Perry
More information about the rhos-list
mailing list