Package security contains functionality to work with security group and security group rules Neutron resources.
Security groups and security group rules allows administrators and tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A security group is a container for security group rules.
When a port is created in Networking it is associated with a security group. If a security group is not specified the port is associated with a 'default' security group. By default, this group drops all ingress traffic and allows all egress. Rules can be added to this group in order to change the behaviour.
The basic characteristics of Neutron Security Groups are:
For ingress traffic (to an instance)
- Only traffic matched with security group rules are allowed. - When there is no rule defined, all traffic is dropped.
For egress traffic (from an instance)
- Only traffic matched with security group rules are allowed. - When there is no rule defined, all egress traffic are dropped. - When a new security group is created, rules to allow all egress traffic is automatically added.
"default security group" is defined for each tenant.
- For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default. - As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).