openstack firewall group create \
--egress-firewall-policy testmultiplegroups1 \
--name mytestgroup1
Now we'll create a second firewall group to allow tcp 3306 to everything in the subnet. With this group placed below the previous, webserverA (192.168.0.100) would not be included in this allow statement.
Yes, this is concerning neutron-fwaas.
Let's take an example where one group looks like this:
openstack firewall group rule create --protocol tcp \ -ip-address 192.168.0.100 \ -port 443 \
--destination
--destination
--action allow \
--name webserverA-allow
openstack firewall group rule create --protocol any \ -ip-address 192.168.0.100 \
--destination
--action deny \
--name webserverA-deny
openstack firewall group rule create --protocol tcp \ -ip-address 192.168.0.0/24 \ -port 22 \
--destination
--action allow \
--destination
--name ssh-allow
openstack firewall group policy create \ roups1
--firewall-rule webserverA-allow \
--firewall-rule webserverA-deny \
--firewall-rule ssh-allow \
testmultipleg
openstack firewall group create \ firewall- policy testmultiplegroups1 \
--egress-
--name mytestgroup1
Now we'll create a second firewall group to allow tcp 3306 to everything in the subnet. With this group placed below the previous, webserverA (192.168.0.100) would not be included in this allow statement.
openstack firewall group rule create --protocol tcp \ -ip-address 192.168.0.0/24 \ -port 3306 \
--destination
--action allow \
--destination
--name mysql-allow
openstack firewall group policy create \ roups2
--firewall-rule mysql-allow \
testmultipleg
openstack firewall group create \ firewall- policy testmultiplegroups2 \
--egress-
--name mytestgroup2
The combined rules would be:
--firewall-rule webserverA-allow
--firewall-rule webserverA-deny
--firewall-rule ssh-allow
--firewall-rule mysql-allow
When the order of the groups is shuffled, the new combined ruleset becomes:
--firewall-rule mysql-allow
--firewall-rule webserverA-allow
--firewall-rule webserverA-deny
--firewall-rule ssh-allow
TCP 3306 is now unintentionally open to webserverA.