Browse code
Merge "Improve firewall recommendations for Neutron documentation"
Jenkins authored on 2015/01/05 23:29:59Showing 1 changed files
| ... | ... |
@@ -59,6 +59,40 @@ connectivity. |
| 59 | 59 |
|
| 60 | 60 |
|
| 61 | 61 |
|
| 62 |
+Disabling Next Generation Firewall Tools |
|
| 63 |
+======================================== |
|
| 64 |
+ |
|
| 65 |
+Devstack does not properly operate with modern firewall tools. Specifically |
|
| 66 |
+it will appear as if the guest VM can access the external network via ICMP, |
|
| 67 |
+but UDP and TCP packets will not be delivered to the guest VM. The root cause |
|
| 68 |
+of the issue is that both ufw (Uncomplicated Firewall) and firewalld (Fedora's |
|
| 69 |
+firewall manager) apply firewall rules to all interfaces in the system, rather |
|
| 70 |
+then per-device. One solution to this problem is to revert to iptables |
|
| 71 |
+functionality. |
|
| 72 |
+ |
|
| 73 |
+To get a functional firewall configuration for Fedora do the following: |
|
| 74 |
+ |
|
| 75 |
+:: |
|
| 76 |
+ |
|
| 77 |
+ sudo service iptables save |
|
| 78 |
+ sudo systemctl disable firewalld |
|
| 79 |
+ sudo systemctl enable iptables |
|
| 80 |
+ sudo systemctl stop firewalld |
|
| 81 |
+ sudo systemctl start iptables |
|
| 82 |
+ |
|
| 83 |
+ |
|
| 84 |
+To get a functional firewall configuration for distributions containing ufw, |
|
| 85 |
+disable ufw. Note ufw is generally not enabled by default in Ubuntu. To |
|
| 86 |
+disable ufw if it was enabled, do the following: |
|
| 87 |
+ |
|
| 88 |
+:: |
|
| 89 |
+ |
|
| 90 |
+ sudo service iptables save |
|
| 91 |
+ sudo ufw disable |
|
| 92 |
+ |
|
| 93 |
+ |
|
| 94 |
+ |
|
| 95 |
+ |
|
| 62 | 96 |
Neutron Networking with Open vSwitch |
| 63 | 97 |
==================================== |
| 64 | 98 |
|