Comment 0 for bug 1554177

For now devops defines networks in random order, and depending which network will be created earlier the routing between public and management may be enabled or not cause icmp-port-unreachable may be injected before or after another network definition.

In case when pub network was created before mgmt we will have
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT
<cut>
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-unreachable

in case when mgmt iface was created first we will have
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-unreachable
<cut>
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT

which will lead to different behavior.

Expected behavior is to don't have access from public to management network all the time.