Security Groups (Firewall)
A security group acts as a virtual firewall for servers and other resources on a network.
By default, when creating a VM, a default security group is created meaning all the outgoing traffic is authorised while all incoming traffic is blocked.
You can add rules to this default security group or create new ones following this guide.
Creating a security group
When creating a new security group all the outgoing traffic is authorised while all incoming traffic is blocked.
$ openstack security group create taylor
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-02-25T07:50:03Z |
| description | taylor |
| id | d2446c3f-66bf-41c7-831e-270e0533b911 |
| name | taylor |
| project_id | ac4fafd60021431585bbb23470119557 |
| revision_number | 1 |
| rules | created_at='2021-02-25T07:50:03Z', direction='egress', ethertype='IPv4', id='46b6de17-f31f-4830-8656-a96980cdd974', updated_at='2021-02-25T07:50:03Z' |
| | created_at='2021-02-25T07:50:03Z', direction='egress', ethertype='IPv6', id='eb6e97d7-c147-4153-9f43-7605ebb6dfb4', updated_at='2021-02-25T07:50:03Z' |
| stateful | True |
| tags | [] |
| updated_at | 2021-02-25T07:50:03Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
You can see the 2 rules allowing all outgoing traffic (IPv4 + IPv6)
Authorising incoming SSH connection (port 22)
$ openstack security group rule create --ingress --protocol tcp --dst-port 22 --ethertype IPv4 taylor
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2021-02-25T07:53:45Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | ea010467-2170-4f13-80a3-8162ddd99a03 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | ac4fafd60021431585bbb23470119557 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | c901c534-fd90-4738-aa6b-007cd7a5081b |
| tags | [] |
| updated_at | 2021-02-25T07:53:45Z |
+-------------------+--------------------------------------+
List the security group rules
$ openstack security group rule list taylor
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+
| 327f0ba7-98e9-4967-8bbf-7089ac7d6184 | None | IPv4 | 0.0.0.0/0 | | egress | None |
| c621e178-4ad6-4dea-9acc-2d2b7e4cbf27 | None | IPv6 | ::/0 | | egress | None |
| ea010467-2170-4f13-80a3-8162ddd99a03 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+
Warning
Rules ordering doesn't actually reflect rules priority.
Apply a security group to your VM
Security group = taylor
VM name = infomaniak-vm-1
openstack server add security group infomaniak-vm-1 taylor
let's confirm the group is applied
$ openstack server show infomaniak-vm-1
+-----------------------------+------------------------------------------------------------------------+
| Field | Value |
+-----------------------------+------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | b10 |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2021-02-24T15:51:27.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | ext-net1=2001:1600:115:1::3d8, 195.15.241.27 |
| config_drive | |
| created | 2021-02-24T15:51:17Z |
| flavor | cpu2-ram6-disk20 (2655c1e3-a43a-4dea-a957-650517e8fa72) |
| hostId | 1baedae8de146b81f259cfec3cf33fcae980bb274f8fef46a5f49ba9 |
| id | 5bf0ebf6-825d-4879-b4b8-90245ec4dc19 |
| image | Debian 10.10 buster |
| key_name | mykeypair |
| name | infomaniak-vm-1 |
| progress | 0 |
| project_id | ac4fafd60021431585bbb23470119557 |
| properties | |
| security_groups | name='default' |
| | name='taylor' |
| status | ACTIVE |
| updated | 2021-02-24T15:51:27Z |
| user_id | b1580497f51e4d10b9110c60c154562c |
| volumes_attached | |
+-----------------------------+------------------------------------------------------------------------+
We see above that there are 2 security groups: default and taylor, therefore both rules apply. For example if rule1 allows port 21 and 22, and rule2 allows port 21, ports 21 and 22 will be open. if rule1 allows port 21 and rule2 port 22 then ports 21 and 22 will be open too.
Remote security groups
When a security group rule specifies a remote group, for example a ingress rule in sgA specifies a remote group of sgB, that means only packets from VMs using sgB could match this ingress rule.
Green = Ingress IPv4 traffic to all UDP ports is allowed for VMs using the security group 25157111-e8d0-49d6-b873-724149ff4afc (VMs source IP)
Blue = Ingress IPv4 traffic to TCP port 21 is allowed regardless the source IP.
Red = Ingress IPv4 traffic to TCP port 4443 is ONLY allowed for VMs using the security group 508d700a-b0bc-4d32-bf2b-bcefd41afb0c (VMs source IP)