[rhos-list] Quantum security group egress

Maru Newby marun at redhat.com
Mon Jul 8 17:45:10 UTC 2013


On Jul 8, 2013, at 1:33 PM, Perry Myers <pmyers at redhat.com> wrote:

> On 07/04/2013 07:03 AM, Ofer Blaut wrote:
>> Hi
>> 
>> By default egress security group is allow all.
>> 
>> http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html
>> 
>> Since there are no deny actions, i expect once first egress rule is applied, all other traffic will be dropped
>> 
>> I have tried it with add SSH to egress still ping worked
>> 
>> http://pastebin.test.redhat.com/150744
> 
> Ofer,
> 
> So what you're saying is that there should be a deny all rule added once
> the user adds the first real egress rule.

If a user wants to manage egress traffic, the first step is removing the default 'allow all egress' rule.  This is by design, and there would be need to be a good reason (convenience is not it) for it to be changed.


m.

> 
> Otherwise the egress rules serve no purpose really...
> 
> That seems to make sense to me.  What do the neutron folks think?
> 
> Perry





More information about the rhos-list mailing list