Creating security group rules in the CLI

To create a security group rule, use the openstack security group rule create command as follows:

openstack security group rule create
[--remote-ip<ip-address> | --remote-group <group>]
[--description <description>]
[--dst-port <port-range>]
[--icmp-type <icmp-type>]
[--icmp-code <icmp-code>]
[--protocol <protocol>]
[--ingress | --egress]
[--ethertype<ethertype>]
[--project <project>]
[--project-domain <project-domain>]
<group>

The --remote-ip argument is optional and allows you to specify the source address or network the rule applies to. The address or network should be defined in CIDR format.

The --remote-group argument is optional and allows you to specify the name or ID of a security group the rule should apply to rather than individual IP addresses or networks. For example, when creating a rule to allow inbound SQL traffic to database servers, you can specify the ID of a security group that application servers are a member of without having to specify their individual IP addresses.

The --description argument applies a description to the security group rule.

The --dst-port argument is optional and allows you to specify a destination port or range of ports separated by a colon, as in 137:139. This option is required for TCP and UDP protocols.

The --icmp-type and --icmp-code arguments specify the ICMP type and code, respectively, for ICMP IP protocols. Allowing the entire ICMP protocol without specific types and codes satisfies most use cases.

The --protocol argument is optional and allows you to match traffic based on the IP protocol. Possible options include ah, dccp, egp, esp, gre, icmp, igmp, ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp or an IP protocol number [0-255]. The default is tcp.

The --ingress argument means that the rule applies to incoming traffic, whereas the --egress argument means that the rule applies to outgoing traffic from the instance. These arguments are mutually exclusive, meaning only one can be used to describe the rule's direction. If left unspecified, the default direction is ingress.

The --ethertype argument is optional and allows you to specify whether the rule applies to IPv4 or IPv6 traffic.

The --project and --project-domain arguments are optional and can be used to specify a project and domain other than the one associated with the user creating the rule.

The group argument is used to specify the name or ID of the security group the rule should be associated with.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset