The following procedure shows you how to add security groups and add rules to the default security group.

Security groups can be added with nova secgroup-create. The following example shows the creation of the security group secure1. After the group is created, it can be viewed in the security group list. $ nova secgroup-create secure1 "Test security group" +---------+---------------------+ | Name | Description | +---------+---------------------+ | secure1 | Test security group | +---------+---------------------+ $ nova secgroup-list +---------+---------------------+ | Name | Description | +---------+---------------------+ | default | default | | secure1 | Test security group | +---------+---------------------+ Security groups can be deleted with nova secgroup-delete. The default security group cannot be deleted. The default security group contains these initial settings: All the traffic originated by the instances (outbound traffic) is allowed All the traffic destined to instances (inbound traffic) is denied All the instances inside the group are allowed to talk to each other You can add extra rules into the default security group for handling the egress traffic. Rules are ingress only at this time. In the following example, the group secure1 is deleted. When you view the security group list, it no longer appears. $ nova secgroup-delete secure1 $ nova secgroup-list +---------+-------------+ | Name | Description | +---------+-------------+ | default | default | +---------+-------------+

The security group rules control the incoming traffic that is allowed to the instances in the group, while all outbound traffic is automatically allowed. It is not possible to change the default outbound behaviour. Every security group rule is a policy which allows you to specify inbound connections that are allowed to access the instance, by source address, destination port and IP protocol,(TCP, UDP or ICMP). Currently, ipv6 and other protocols cannot be managed with the security rules, making them permitted by default. To manage such, you can deploy a firewall in front of your OpenStack cloud to control other types of traffic. The command requires the following arguments for both TCP and UDP rules : <secgroup> ID of security group. <ip_proto> IP protocol (icmp, tcp, udp). <from_port> Port at start of range. <to_port> Port at end of range. <cidr> CIDR for address range. For ICMP rules, instead of specifying a begin and end port, you specify the allowed ICMP code and ICMP type: <secgroup> ID of security group. <ip_proto> IP protocol (with icmp specified). <ICMP_code> The ICMP code. <ICMP_type> The ICMP type. <cidr> CIDR for the source address range. Entering "-1" for both code and type indicates that all ICMP codes and types should be allowed. That notation allows you to specify a base IP address and a suffix that designates the number of significant bits in the IP address used to identify the network. For example, by specifying a 88.170.60.32/27, you specify 88.170.60.32 as the base IP and 27 as the suffix. Since you use an IPV4 format, there are only 5 bits available for the host part (32 minus 27). The 0.0.0.0/0 notation means you allow the entire IPV4 range, meaning allowing all addresses. For example, in order to allow any IP address to access to a web server running on one of your instance inside the default security group: $ nova secgroup-add-rule default tcp 80 80 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ In order to allow any IP address to ping an instance inside the default security group (Code 0, Type 8 for the ECHO request.): $ nova secgroup-add-rule default icmp 0 8 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | 0 | 8 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ $ nova secgroup-list-rules default +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | | icmp | 0 | 8 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ In order to delete a rule, you need to specify the exact same arguments you used to create it: <secgroup> ID of security group. <ip_proto> IP protocol (icmp, tcp, udp). <from_port> Port at start of range. <to_port> Port at end of range. <cidr> CIDR for address range. $ nova secgroup-delete-rule default tcp 80 80 0.0.0.0/0