OpenStack Security Groups

At their core, the OpenStack Security Groups are iptable-based firewalls built around an Instance at the hypervisor level. The Security Groups can be used in conjunction with the OS-level firewalls (e.g., FirewallD, iptables) but do not overlap with them (see Important Notes).

Important Notes for OpenStack Security Groups

• IPV6 is not currently supported in OpenStack.
• Changes to Security Groups take effect immediately.
• Unlike normal Linux firewall rules, the rule order does not matter in OpenStack Security Groups.
• By default, all Instances within the same Project can communicate with each other.
• Using 160.91.8.218:6556 to access ORNL's Check_MK service is allowed but not enabled by default. For monitoring of uptime and basic metrics, please contact the ORC Tickets Support for assistance.
• No firewall is enabled in the CADES-provided operating system (OS) images. Instead, we rely on the OpenStack Security Groups. The user is responsible for enabling and configuring extra OS–level firewall rules as desired.
• User-added firewall and iptable rules supersede rules set in OpenStack Security Groups. For example, ingress access enabled by a rule in the OpenStack Security Group that are otherwise blocked at the OS level using the firewall or iptables will be ineffective, and that traffic will still be blocked.
• By default, all newly created Security Groups allow all outbound IPV4 and IPV6 (enabled but not functional). By default, no inbound traffic is allowed.
• The CADES team recommends that users leave existing Security Group rules in place as many of these rules are used by the CADES support team (e.g., for monitoring and metrics).