OpenStack Security Groups
At their core, the OpenStack Security Groups are iptable-based firewalls built around an Instance at the hypervisor level. The Security Groups can be used in conjunction with the OS-level firewalls (e.g., FirewallD, iptables) but do not overlap with them (see Important Notes).
Important Notes for OpenStack Security Groups
- IPV6 is not currently supported in OpenStack.
- Changes to Security Groups take effect immediately.
- Unlike normal Linux firewall rules, the rule order does not matter in OpenStack Security Groups.
- By default, all Instances within the same Project can communicate with each other.
- Using 126.96.36.199:6556 to access ORNL's Check_MK service is allowed but not enabled by default. For monitoring of uptime and basic metrics, please contact the CADES team for assistance.
- No firewall is enabled in the CADES-provided operating system (OS) images. Instead, we rely on the OpenStack Security Groups. The user is responsible for enabling and configuring extra OS–level firewall rules as desired.
- User-added firewall and iptable rules supersede rules set in OpenStack Security Groups. For example, ingress access enabled by a rule in the OpenStack Security Group that are otherwise blocked at the OS level using the firewall or iptables will be ineffective, and that traffic will still be blocked.
- By default, all newly created Security Groups allow all outbound IPV4 and IPV6 (enabled but not functional). By default, no inbound traffic is allowed.
- The CADES team recommends that users leave existing Security Group rules in place as many of these rules are used by the CADES support team (e.g., for monitoring and metrics).