Comment 5 for bug 1304613

As for your question about the region... I don't know... that's operating at scale. The question there is probably one of hierarchy... for example, would you have multiple, linked region controllers, or more like a few region controllers and several cluster controllers under each?

And in that case, perhaps you'd want to be able to arbitrarily set this assuming each region and cluster controller is a physical machine:

Region1 -- Dashboard -- cluster 1
                                                 |-- cluster 2
                                                 |-- cluster 3
                                                 |-- cluster 4
                                                              |---node 1
                                                              |---node 2
                                                              |---node X

So perhaps you would want to be able to, via the dashboard, or some other means say, Cluster 1 shoud be segregated and never pass packets out, but cluster 4 are all web-servers and associated servers and DO need to be able to send and recieve from the internet and cluster 3 contains the things teh web servers need on the back end (SQL, etc) so Cluster 3 should only talk to cluster 4 and NEVER talk to the internet.

Or I don't know, that's really a VERY ugly example.

My original point was just that, by default on my very simple use case (and also as seen with the Orange Boxes), the deployed nodes can't talk to the internet without some manual futzing behind the scenes, and there's no simple way to fix that if you don't know iptables scripting and what bits to flip.