Setting up a security group


#1

Can someone explain very simply how the Security Groups on Scaleway work?

From what I can understand from support, I should be able to control which ports and IP addresses are either allowed or blocked from accessing the servers in the group. is this correct?

I would like to avoid needing software firewalls on any of servers - and just use the security groups to handle what is blocked and what can be accessed.

TIA

Thomas
whoGloo, Inc. (www.whogloo.com)


#2

this are basically a iptables like configuration that is managed outside of your machine.

If you do changes you have to restart (not in all cases) your hardware box which makes it unpractical.


#3

If it is managed outside the machine, why do the servers need to be restarted? Is this because the config is pushed to each server as a software firewall implementation?


#4

I am trying to resolve this mystery as well. It feels like back in the times of windows 95

I think the update in the switches/router is triggered when the server is getting its IP. Thats why you have to restart.


#5

Hi,

I’m having issues with security groups as well. It looks that they are not working at all.
I created an issue for support but they redirected me to their blog (I guess they wanted to redirect me here).

I created a simple rule to block tcp port 5432 for postgresql, applied the security group to the server
but I still can access the port from outside. Then I restarted the server (does not make any sense)
but I still can access that port.

Are security groups working for somebody at all?

Any help would be appreciated.
Jurgis


#6

SGs are not working for my instances as well… sad, very sad


#7

I managed to make them work by shutting down and restarting the server.


#8

the rules of the security groups are implemented in the hardware/switch (made by scaleway)
this is a very basic ----stateless---- filtering
you have to manage your server iptables ( with -m state )
it’s additional security ----in depth----

the main reason imho is to simply avoid locking your server with bad iptables
some people don’t necessarily know how to protect va iptables

you can search “iptables” posts to get more info


#9

Depends on what you mean by “restarted”

I got them working once, but you need to do a full reboot. That means shut down the server with the “Archive” option and then fire it up again on a new node. The hard reboot option does not work.


Security Group not working?
#10

You do not need to restart instances at all, just wait some minutes before rules are activated.
Unfortunately “security group” is not working on bare metals, because connection tracking is not available.
This is very pity because it would be a useful feature as Linux firewall is a bit harder to configure because of network attached storage.