Managing firewall rules and port security on networks using OpenStack CLI
Find out how security groups work on Public Cloud
Last updated 13th March 2023
Objective
The OpenStack platform manages firewall security by combining connection rules into security groups. Rules are then applied by assigning security groups to networking ports.
A port in the context of OpenStack Neutron is a point of connection between subnets and networking elements (such as instances, load balancers, routers etc.).
This guide explains how security groups for public and private networks are managed on Public Cloud.
Requirements
- Preparing the environment to use the OpenStack API
- Setting the OpenStack environment variables
Instructions
Activation process
This guide section only concerns configurations for private networks.
For pre-existing private networks
To prevent breaking changes during OpenStack Stein and Open vSwitch version upgrades, the "port security" has been set to "False" on existing networks.
You have to use openstack CLI to enable the port security on your existing ports and network.
First, if you want to use firewall rules on private networks you will have to set the "port security" property as "True":
openstack network set --enable-port-security <network_ID>
Then, you will need to enable the port security on the port of your service in this network.
As a reminder, to retrieve the port, you can use OpenStack CLI. Execute the command openstack port list --server <server_ID> to retrieve the ports on a given server.
For all services with an active port in this network, enable port security:
openstack port set --enable-port-security <port_ID>
Then you can check if a port has port security enabled:
openstack port show <port-ID> -f value -c port_security_enabled
The result should look like the following:
$ openstack port show d7c237cd-8dee-4503-9073-693d986baff3 -f value -c port_security_enabled
False
For a new private network
Since the upgrade to the Stein version on OpenStack regions and the new version of Open vSwitch will be done from September 6th, 2022 (Private network port default configuration change), the "port security" flag will be set to "True" by default on any newly created private network.
This will ensure that we stay consistent with the default "True" policy, like on vanilla OpenStack deployments.
Default settings
Each networking port is attached to a security group which contains some specific rules.
The "default" security group contains the following rules:
openstack security group rule list default
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| 3a5564b7-5b68-4923-b796-26eb623c5b53 | None | IPv6 | ::/0 | | None |
| 43f2b673-9cbc-4bac-ad66-22ef4789d0fc | None | IPv6 | ::/0 | | None |
| a6a1ecfd-4713-4316-a020-74eccd49fd6c | None | IPv4 | 0.0.0.0/0 | | None |
| cd66a601-de94-4dbe-ae21-44792229d351 | None | IPv4 | 0.0.0.0/0 | | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
The return shows that all connections are allowed for any protocol and in both directions.
As a consequence, all the network ports (public and private) will allow every connection when you start an instance.
Managing your private firewall rules
Adding rules
If you want to configure specific rules, you need to create a new security group and associate your network port with it. We advise not changing the default security group. This is to keep access to your instance under all circumstances (e.g. in rescue mode).
Use this command to create the group:
openstack security group create private
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-11-05T15:14:37Z |
| description | private |
| id | eeae05a8-c81e-40a4-a3aa-fdbebcbf72b4 |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='9ea425f44c284d488c6d8e28ccc8bff0', project.name='3614264792735868', region_name='GRA11', zone= |
| name | private |
| project_id | 9ea425f44c284d488c6d8e28ccc8bff0 |
| revision_number | 1 |
| rules | created_at='2021-11-05T15:14:37Z', direction='egress', ethertype='IPv4', id='54fae025-3439-4e45-8745-2ffe5b261f72', revision_number='1', updated_at='2021-11-05T15:14:37Z' |
| | created_at='2021-11-05T15:14:37Z', direction='egress', ethertype='IPv6', id='ad1aa507-79bd-434f-b674-221ef41d9ba6', revision_number='1', updated_at='2021-11-05T15:14:37Z' |
| stateful | None |
| tags | [] |
| updated_at | 2021-11-05T15:14:37Z |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
This example security group has only egress rules which means no ingress communication will be allowed.
To add a rule for SSH connections for example, you can use this command:
openstack security group rule create --protocol tcp --dst-port 22 private
+-------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-11-05T15:19:37Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 8f026e18-1c8b-4042-8655-10c9a773d131 |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='9ea425f44c284d488c6d8e28ccc8bff0', project.name='3614264792735868', region_name='GRA11', zone= |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 9ea425f44c284d488c6d8e28ccc8bff0 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | eeae05a8-c81e-40a4-a3aa-fdbebcbf72b4 |
| tags | [] |
| updated_at | 2021-11-05T15:19:37Z |
+-------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Enter the following command to associate your security group with your port:
openstack port set --security-group private 5be009d9-fc2e-4bf5-a152-dab52614b02d
Go further
Join our community of users on https://community.ovh.com/en/.
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.