security group creation adds unrestricted egress rules by default?

asked 2016-01-28 05:24:03 -0600

sxc731 gravatar image

updated 2016-01-28 05:24:28 -0600

Can you help me understand why when a new (blank) security group is created, unrestricted egress rules are automatically added by default?

$ neutron security-group-create TEST
$ neutron security-group-rule-list | grep 'TEST\|id'
| id             | security_group | direction | ethertype | protocol/port | remote          |
| ccbcc5e5...794 | TEST           | egress    | IPv6      | any           | any             |
| fc1b9168...92f | TEST           | egress    | IPv4      | any           | any             |

I'm probably missing something (apologies if so) but since these rules are also present on the 'default' security group, this would seems redundant at best and potentially dangerous at worst: in case the tenant is trying to restrict egress traffic, they need to remember to delete these default rules whenever they create a new SG?

I'm asking two questions:

  1. What's the rationale?
  2. Is there a way to alter this? (unless of course I misunderstood smth about the rationale)

I'm using Kilo with Neutron w/VLAN segregation, provisioned by Fuel 7.0.

edit retag flag offensive close merge delete