From 3a6b128f3af8068362bdd78a0d264aa54672328e Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Wed, 31 Dec 2014 14:27:22 -0700 Subject: [PATCH] Improve firewall recommendations for Neutron documentation The documention does not mention that either ufw or firewalld should be disabled to operate a devstack+Neutron environment. This change adds a description of fault symptoms as well as a simple workaround. Change-Id: Ie0ec614dfa56febbf6588836d2e1fc057aa8830f --- doc/source/guides/neutron.rst | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/doc/source/guides/neutron.rst b/doc/source/guides/neutron.rst index dc2fc71617..90d4ca3c77 100644 --- a/doc/source/guides/neutron.rst +++ b/doc/source/guides/neutron.rst @@ -59,6 +59,40 @@ connectivity. +Disabling Next Generation Firewall Tools +======================================== + +Devstack does not properly operate with modern firewall tools. Specifically +it will appear as if the guest VM can access the external network via ICMP, +but UDP and TCP packets will not be delivered to the guest VM. The root cause +of the issue is that both ufw (Uncomplicated Firewall) and firewalld (Fedora's +firewall manager) apply firewall rules to all interfaces in the system, rather +then per-device. One solution to this problem is to revert to iptables +functionality. + +To get a functional firewall configuration for Fedora do the following: + +:: + + sudo service iptables save + sudo systemctl disable firewalld + sudo systemctl enable iptables + sudo systemctl stop firewalld + sudo systemctl start iptables + + +To get a functional firewall configuration for distributions containing ufw, +disable ufw. Note ufw is generally not enabled by default in Ubuntu. To +disable ufw if it was enabled, do the following: + +:: + + sudo service iptables save + sudo ufw disable + + + + Neutron Networking with Open vSwitch ====================================