Default security group wildcard rules

asked 2016-10-24 06:37:05 -0500

Fenuks gravatar image

Upon project creation a default security group is created with rules that look like this:

$ openstack security group rule show 52c0d45f-3382-4694-860b-7ce9005029d0
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| description       |                                      |
| direction         | ingress                              |
| ethertype         | IPv4                                 |
| id                | 52c0d45f-3382-4694-860b-7ce9005029d0 |
| port_range_max    | None                                 |
| port_range_min    | None                                 |
| project_id        | 9f0be72f0b784c9bbf81e14632785c88     |
| protocol          | None                                 |
| remote_group_id   | e36161a1-fae7-4f90-8a8c-4601d5809939 |
| remote_ip_prefix  | None                                 |
| security_group_id | e36161a1-fae7-4f90-8a8c-4601d5809939 |
+-------------------+--------------------------------------+

Note the 'port_range_max: None', 'port_range_min: None', 'Protocol: None' and 'remote_ip_prefix: None' in table.
In Horizon it would state 'IP Protocol: Any', 'Port Range: Any' and 'Remote IP Prefix: -'.

Is there a way to create such groups manually? Or do I need to create 3 groups instead

  1. All TCP with remote_group='Group name'
  2. All UDP with remote_group='Group name'
  3. All ICMP with remote_group='Group name'

for every security group?

In Horizon there's a way to create rule for 'Other protocol' and set protocol as 'integer value between 0 and 255 (or -1 which means wildcard)', but it gives error when set to '-1', so it does not work. It's either an error in tooltip and should be removed, or it's supposed to work and should be fixed?

P.S. In reality I've had a problem with security groups — there stopped working after Neutron node reboot allowing all traffic inside. In my experiments I've deleted those 2 groups, it didn't help (obviously) and I had to cover ports on VM's with firewall.
Now after another reboot Security Groups started working again locking my instances. Without those wildcard rules it all stopped working. And all I came up with is creating rules for all protocols to allow ingress traffic with remote group default.

edit retag flag offensive close merge delete