Openstack Security Groups/Arp Spoof Protection

neutron, nova, openstack, security groups

Everything is blocked by default, open up the ports you want to allow.

On the Controller 


1
2
3
nova secgroup-add-rule default tcp 1 65535 0.0.0.0/0
nova secgroup-add-rule default udp 1 65535 0.0.0.0/0
nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0

-1 signfies all ranges

On the compute

/etc/neutron/plugins/ml2/linuxbridge_agent.ini

1
2
3
4
5
6
7
8
9
10
11
12
[linux_bridge]
physical_interface_mappings = public:bond0

[vxlan]
enable_vxlan = False

[agent]
prevent_arp_spoofing = True

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver