CADESUser DocumentationCADES Cloud User GuideManage Your VM InstancesOpenStack Security Groups

OpenStack Security Groups

At their core, the OpenStack Security Groups are iptable-based firewalls built around an Instance at the hypervisor level. The Security Groups can be used in conjunction with the OS-level firewalls (e.g., FirewallD, iptables) but do not overlap with them (see Important Notes).

Important Notes for OpenStack Security Groups

  • IPV6 is not currently supported in OpenStack.
  • Changes to Security Groups take effect immediately.
  • Unlike normal Linux firewall rules, the rule order does not matter in OpenStack Security Groups.
  • By default, all Instances within the same Project can communicate with each other.
  • Using 160.91.8.218:6556 to access ORNL's Check_MK service is allowed but not enabled by default. For monitoring of uptime and basic metrics, please contact the CADES team for assistance.
  • No firewall is enabled in the CADES-provided operating system (OS) images. Instead, we rely on the OpenStack Security Groups. The user is responsible for enabling and configuring extra OS–level firewall rules as desired.
  • User-added firewall and iptable rules supersede rules set in OpenStack Security Groups. For example, ingress access enabled by a rule in the OpenStack Security Group that are otherwise blocked at the OS level using the firewall or iptables will be ineffective, and that traffic will still be blocked.
  • By default, all newly created Security Groups allow all outbound IPV4 and IPV6 (enabled but not functional). By default, no inbound traffic is allowed.
  • The CADES team recommends that users leave existing Security Group rules in place as many of these rules are used by the CADES support team (e.g., for monitoring and metrics).

results matching ""

    No results matching ""