1. devstack
  2. Commit 3a6b128f3af8068362bdd78a0d264aa54672328e
Browse code

Improve firewall recommendations for Neutron documentation

The documention does not mention that either ufw or firewalld should be
disabled to operate a devstack+Neutron environment. This change adds a
description of fault symptoms as well as a simple workaround.

Change-Id: Ie0ec614dfa56febbf6588836d2e1fc057aa8830f

Steven Dake authored on 2015/01/01 06:27:22
Showing 1 changed files
doc/source/guides/neutron.rst
History View file @ 3a6b128
... ... 
@@ -59,6 +59,40 @@ connectivity.
59 59
60 60
61 61
62 
+Disabling Next Generation Firewall Tools
63 
+========================================
64 
+
65 
+Devstack does not properly operate with modern firewall tools.  Specifically
66 
+it will appear as if the guest VM can access the external network via ICMP,
67 
+but UDP and TCP packets will not be delivered to the guest VM.  The root cause
68 
+of the issue is that both ufw (Uncomplicated Firewall) and firewalld (Fedora's
69 
+firewall manager) apply firewall rules to all interfaces in the system, rather
70 
+then per-device.  One solution to this problem is to revert to iptables
71 
+functionality.
72 
+
73 
+To get a functional firewall configuration for Fedora do the following:
74 
+
75 
+::
76 
+
77 
+         sudo service iptables save
78 
+         sudo systemctl disable firewalld
79 
+         sudo systemctl enable iptables
80 
+         sudo systemctl stop firewalld
81 
+         sudo systemctl start iptables
82 
+
83 
+
84 
+To get a functional firewall configuration for distributions containing ufw,
85 
+disable ufw.  Note ufw is generally not enabled by default in Ubuntu.  To
86 
+disable ufw if it was enabled, do the following:
87 
+
88 
+::
89 
+
90 
+        sudo service iptables save
91 
+        sudo ufw disable
92 
+
93 
+
94 
+
95 
+
62 96 
 Neutron Networking with Open vSwitch
63 97 
 ====================================
64 98