Ask Your Question
0

deactivate security groups

asked 2014-09-23 13:58:45 -0500

genomex gravatar image

updated 2014-09-23 14:09:41 -0500

I want to disable the security groups within openstack icehouse. Is this possible and how can i accomplish this? I allready tried a few different things but this always results in or error with booting instances or failing dhcp.

I tried this one for example: https://ask.openstack.org/en/question/9592/disabling-security-groups-in-horizon/ (https://ask.openstack.org/en/question...)

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2014-09-23 21:20:47 -0500

larsks gravatar image

It depends on what you mean by "disabling security groups". You can create a security group that permits all traffic. E.g., using Neutron:

neutron security-group-create all_open
neutron security-group-rule-create --protocol icmp all_open
neutron security-group-rule-create --protocol tcp all_open
neutron security-group-rule-create --protocol udp all_open

Or using Nova:

nova secgroup-create all_open "Allow all ip traffic"
nova secgroup-add-rule all_open icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule all_open tcp 1 65535 0.0.0.0/0
nova secgroup-add-rule all_open udp 1 65535 0.0.0.0/0

But there will still be anti-spoofing rules attached to your instances that will prevent them from originating traffic from other than their assigned fixed address, meaning that they can't be used as router by other systems. There is work afoot to permit this:

Neither of these changes has merged at this time.

edit flag offensive delete link more

Comments

I want to setup openstack with virtual routers and not with the default router in openstack. That is why i want to fully disable the security group so all traffic wil be allowed. Because of the anti-spoofing rules i can't use the virual router to forward traffic to different subnets.

genomex gravatar imagegenomex ( 2014-09-24 01:58:09 -0500 )edit
0

answered 2014-09-24 07:01:27 -0500

genomex gravatar image

updated 2014-10-05 12:41:55 -0500

If you want to disable the anti spoofing in your iptables change this file: /usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py

from: def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules): table.add_rule(chain_name, '-j DROP') To: table.add_rule(chain_name, '-j ACCEPT')

This wil do the trick for Vyatta or SRX routers to route between the instances without the packages to be dropt by the iptables.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-23 13:58:45 -0500

Seen: 1,429 times

Last updated: Oct 05 '14