The following procedure shows you how to add security groups and add rules to the default security group.

Use the nova secgroup-create command to add security groups. The following example shows how to create the secure1 security group: $ nova secgroup-create secure1 "Test security group" +---------+---------------------+ | Name | Description | +---------+---------------------+ | secure1 | Test security group | +---------+---------------------+ After you create the security group, you can view it in the security group list: $ nova secgroup-list +---------+---------------------+ | Name | Description | +---------+---------------------+ | default | default | | secure1 | Test security group | +---------+---------------------+ Use the nova secgroup-delete command to delete security groups. You cannot delete the default security group. The default security group has these initial settings: All the traffic originated by the instances (outbound traffic) is allowed All the traffic destined to instances (inbound traffic) is denied All the instances inside the group are allowed to talk to each other You can add extra rules into the default security group for handling the egress traffic. Rules are ingress only at this time. The following example deletes the secure1 group. When you view the security group list, it no longer appears: $ nova secgroup-delete secure1 $ nova secgroup-list +---------+-------------+ | Name | Description | +---------+-------------+ | default | default | +---------+-------------+

The security group rules control the incoming traffic that can access the instances in the group, while all outbound traffic is automatically allowed. You cannot change the default outbound behavior. Every security group rule is a policy that allows you to specify inbound connections that can access the instance by source address, destination port, and IP protocol (TCP, UDP or ICMP). Currently, you cannot manage IPv6 and other protocols through the security rules, making them permitted by default. To manage such protocols, you can deploy a firewall in front of your OpenStack cloud to control other types of traffic. The command requires the following arguments for both TCP and UDP rules: <secgroup> ID of security group. <ip_proto> IP protocol (icmp, tcp, udp). <from_port> Port at start of range. <to_port> Port at end of range. <cidr> CIDR for address range. For ICMP rules, instead of specifying a begin and end port, you specify the allowed ICMP code and ICMP type: <secgroup> ID of security group. <ip_proto> IP protocol (with icmp specified). <ICMP_code> The ICMP code. <ICMP_type> The ICMP type. <cidr> CIDR for the source address range. Entering -1 for both code and type indicates that all ICMP codes and types are allowed. That notation allows you to specify a base IP address and a suffix that designates the number of significant bits in the IP address used to identify the network. For example, by specifying a 88.170.60.32/27, you specify 88.170.60.32 as the base IP and 27 as the suffix. Because you use an IPv4 format, only 5 bits are available for the host part (32 minus 27). The 0.0.0.0/0 notation means you allow the entire IPv4 range, which allows all addresses. For example, to allow any IP address to access a web server running on one of your instances inside the default security group: $ nova secgroup-add-rule default tcp 80 80 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ To allow any IP address to ping an instance inside the default security group (Code 0, Type 8 for the ECHO request): $ nova secgroup-add-rule default icmp 0 8 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | 0 | 8 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ $ nova secgroup-list-rules default +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | | icmp | 0 | 8 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ To delete a rule, you must specify exactly the same arguments that you used to create it: <secgroup> ID of security group. <ip_proto> IP protocol (icmp, tcp, udp). <from_port> Port at start of range. <to_port> Port at end of range. <cidr> CIDR for address range. $ nova secgroup-delete-rule default tcp 80 80 0.0.0.0/0