cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wid...@apache.org
Subject [15/38] git commit: refs/heads/qemu-img - Egress Firewall Rules Documentation
Date Mon, 18 Feb 2013 17:21:26 GMT
Egress Firewall Rules Documentation


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/2beb66fd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/2beb66fd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/2beb66fd

Branch: refs/heads/qemu-img
Commit: 2beb66fd32bd8b176a7b4eff2d0a34aa4d278045
Parents: 6279433
Author: Radhika PC <radhika.puthiyetath@citrix.com>
Authored: Fri Feb 15 21:31:30 2013 +0530
Committer: Pranav Saxena <pranav.saxena@citrix.com>
Committed: Fri Feb 15 21:31:30 2013 +0530

----------------------------------------------------------------------
 docs/en-US/creating-network-offerings.xml  |    2 +-
 docs/en-US/egress-firewall-rule.xml        |   98 +++++++++++++++++++
 docs/en-US/firewall-rules.xml              |  119 ++++++++++++++---------
 docs/en-US/images/egress-firewall-rule.png |  Bin 0 -> 10413 bytes
 docs/en-US/ip-forwarding-firewalling.xml   |   44 +++++----
 5 files changed, 195 insertions(+), 68 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2beb66fd/docs/en-US/creating-network-offerings.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/creating-network-offerings.xml b/docs/en-US/creating-network-offerings.xml
index df39242..1f79fb1 100644
--- a/docs/en-US/creating-network-offerings.xml
+++ b/docs/en-US/creating-network-offerings.xml
@@ -117,7 +117,7 @@
                 </row>
                 <row>
                   <entry><para>Firewall</para></entry>
-                  <entry><para condition="admin">For more information, see <xref
+                  <entry><para condition="install">For more information, see
<xref
                         linkend="firewall-rules"/>.</para>
                     <para condition="admin">For more information, see the Administration
                       Guide.</para></entry>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2beb66fd/docs/en-US/egress-firewall-rule.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/egress-firewall-rule.xml b/docs/en-US/egress-firewall-rule.xml
new file mode 100644
index 0000000..ef0e25e
--- /dev/null
+++ b/docs/en-US/egress-firewall-rule.xml
@@ -0,0 +1,98 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
[
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<section id="egress-firewall-rule">
+  <title>Creating Egress Firewall Rules in an Advanced Zone</title>
+  <note>
+    <para>The egress firewall rules are supported only on virtual routers.</para>
+  </note>
+  <para/>
+  <para>The egress traffic originates from a private network to a public network, such
as the
+    Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed
from a
+    guest network to the Internet. However, you can control the egress traffic in an Advanced
zone
+    by creating egress firewall rules. When an egress firewall rule is applied, the traffic
specific
+    to the rule is allowed and the remaining traffic is blocked. When all the firewall rules
are
+    removed the default policy, Block, is applied.</para>
+  <para>Consider the following scenarios to apply egress firewall rules:</para>
+  <itemizedlist>
+    <listitem>
+      <para>Allow the egress traffic from specified source CIDR. The Source CIDR is
part of guest
+        network CIDR.</para>
+    </listitem>
+    <listitem>
+      <para>Allow the egress traffic with destination protocol TCP,UDP,ICMP, or ALL.</para>
+    </listitem>
+    <listitem>
+      <para>Allow the egress traffic with destination protocol and port range. The
port range is
+        specified for TCP, UDP or for ICMP type and code.</para>
+    </listitem>
+  </itemizedlist>
+  <para>To configure an egress firewall rule:</para>
+  <orderedlist>
+    <listitem>
+      <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
+    </listitem>
+    <listitem>
+      <para>In the left navigation, choose Network.</para>
+    </listitem>
+    <listitem>
+      <para>In Select view, choose Guest networks, then click the Guest network you
want.</para>
+    </listitem>
+    <listitem>
+      <para>To add an egress rule, click the Egress rules tab and fill out the following
fields to
+        specify what type of traffic is allowed to be sent out of VM instances in this guest
+        network:</para>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="./images/egress-firewall-rule.png"/>
+        </imageobject>
+        <textobject>
+          <phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
+        </textobject>
+      </mediaobject>
+      <itemizedlist>
+        <listitem>
+          <para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only)
To send traffic only to
+            the IP addresses within a particular address block, enter a CIDR or a comma-separated
+            list of CIDRs. The CIDR is the base IP address of the destination. For example,
+            192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">Protocol</emphasis>: The networking
protocol that VMs uses to
+            send outgoing traffic. The TCP and UDP protocols are typically used for data
exchange
+            and end-user communications. The ICMP protocol is typically used to send error
messages
+            or network monitoring data.</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">Start Port, End Port</emphasis>:
(TCP, UDP only) A range of
+            listening ports that are the destination for the outgoing traffic. If you are
opening a
+            single port, use the same number in both fields.</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>:
(ICMP only) The type of
+            message and error code that are sent.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+    <listitem>
+      <para>Click Add.</para>
+    </listitem>
+  </orderedlist>
+</section>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2beb66fd/docs/en-US/firewall-rules.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/firewall-rules.xml b/docs/en-US/firewall-rules.xml
index 01d072b..837a4c6 100644
--- a/docs/en-US/firewall-rules.xml
+++ b/docs/en-US/firewall-rules.xml
@@ -3,53 +3,80 @@
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
-
 <!-- Licensed to the Apache Software Foundation (ASF) under one
-	or more contributor license agreements.  See the NOTICE file
-	distributed with this work for additional information
-	regarding copyright ownership.  The ASF licenses this file
-	to you under the Apache License, Version 2.0 (the
-	"License"); you may not use this file except in compliance
-	with the License.  You may obtain a copy of the License at
-	
-	http://www.apache.org/licenses/LICENSE-2.0
-	
-	Unless required by applicable law or agreed to in writing,
-	software distributed under the License is distributed on an
-	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-	KIND, either express or implied.  See the License for the
-	specific language governing permissions and limitations
-	under the License.
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
 -->
 <section id="firewall-rules">
-	<title>Firewall Rules</title>
-	<para>By default, all incoming traffic to the public IP address is rejected by the
firewall. To allow external traffic, you can open firewall ports by specifying firewall rules.
 You can optionally specify one or more CIDRs to filter the source IPs. This is useful when
you want to allow only incoming requests from certain IP addresses.</para>
-	<para>You cannot use firewall rules to open ports for an elastic IP address. When
elastic IP is used, outside access is instead controlled through the use of security groups.
See <xref linkend="add-security-group"/>.</para>
-	<para>Firewall rules can be created using the Firewall tab in the Management Server
UI. This tab is not displayed by default when &PRODUCT; is installed. To display the Firewall
tab, the &PRODUCT; administrator must set the global configuration parameter firewall.rule.ui.enabled
to "true."</para>
-	<para>To create a firewall rule:</para>
-	<orderedlist>
-		<listitem><para>Log in to the &PRODUCT; UI as an administrator or end user.
</para></listitem>
-		<listitem><para>In the left navigation, choose Network.</para></listitem>
-		<listitem><para>Click the name of the network where you want to work with.</para></listitem>
-		<listitem><para>Click View IP Addresses.</para></listitem>
-		<listitem><para>Click the IP address you want to work with.</para>
-		</listitem>
-		<listitem><para>Click the Configuration tab and fill in the following values.</para>
-		<itemizedlist>
-			<listitem><para><emphasis role="bold">Source CIDR</emphasis>.
(Optional) To accept only traffic from IP
-						addresses within a particular address block, enter a CIDR or a
-						comma-separated list of CIDRs. Example: 192.168.0.0/22. Leave empty to allow
-						all CIDRs.</para></listitem>
-			<listitem><para><emphasis role="bold">Protocol</emphasis>. The
communication protocol in use on the opened
-						port(s).</para></listitem>
-			<listitem><para><emphasis role="bold">Start Port and End Port</emphasis>.
The port(s) you want to open on the
-						firewall. If you are opening a single port, use the same number in both
-						fields</para></listitem>
-			<listitem><para><emphasis role="bold">ICMP Type and ICMP Code</emphasis>.
Used only if Protocol is set to
-						ICMP. Provide the type and code required by the ICMP protocol to fill out
-						the ICMP header. Refer to ICMP documentation for more details if you are not
-						sure what to enter</para></listitem>
-		</itemizedlist></listitem>
-		<listitem><para>Click Add.</para></listitem>		
-	</orderedlist>
+  <title>Firewall Rules</title>
+  <para>By default, all incoming traffic to the public IP address is rejected by the
firewall. To
+    allow external traffic, you can open firewall ports by specifying firewall rules. You
can
+    optionally specify one or more CIDRs to filter the source IPs. This is useful when you
want to
+    allow only incoming requests from certain IP addresses.</para>
+  <para>You cannot use firewall rules to open ports for an elastic IP address. When
elastic IP is
+    used, outside access is instead controlled through the use of security groups. See <xref
+      linkend="add-security-group"/>.</para>
+  <para>In an advanced zone, you can also create egress firewall rules by using the
virtual router.
+    For more information, see <xref linkend="egress-firewall-rule"/>.</para>
+  <para>Firewall rules can be created using the Firewall tab in the Management Server
UI. This tab
+    is not displayed by default when &PRODUCT; is installed. To display the Firewall
tab, the
+    &PRODUCT; administrator must set the global configuration parameter firewall.rule.ui.enabled
to
+    "true."</para>
+  <para>To create a firewall rule:</para>
+  <orderedlist>
+    <listitem>
+      <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
+    </listitem>
+    <listitem>
+      <para>In the left navigation, choose Network.</para>
+    </listitem>
+    <listitem>
+      <para>Click the name of the network where you want to work with.</para>
+    </listitem>
+    <listitem>
+      <para>Click View IP Addresses.</para>
+    </listitem>
+    <listitem>
+      <para>Click the IP address you want to work with.</para>
+    </listitem>
+    <listitem>
+      <para>Click the Configuration tab and fill in the following values.</para>
+      <itemizedlist>
+        <listitem>
+          <para><emphasis role="bold">Source CIDR</emphasis>. (Optional)
To accept only traffic from
+            IP addresses within a particular address block, enter a CIDR or a comma-separated
list
+            of CIDRs. Example: 192.168.0.0/22. Leave empty to allow all CIDRs.</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">Protocol</emphasis>. The communication
protocol in use on the
+            opened port(s).</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">Start Port and End Port</emphasis>.
The port(s) you want to
+            open on the firewall. If you are opening a single port, use the same number in
both
+            fields</para>
+        </listitem>
+        <listitem>
+          <para><emphasis role="bold">ICMP Type and ICMP Code</emphasis>.
Used only if Protocol is
+            set to ICMP. Provide the type and code required by the ICMP protocol to fill
out the
+            ICMP header. Refer to ICMP documentation for more details if you are not sure
what to
+            enter</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+    <listitem>
+      <para>Click Add.</para>
+    </listitem>
+  </orderedlist>
 </section>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2beb66fd/docs/en-US/images/egress-firewall-rule.png
----------------------------------------------------------------------
diff --git a/docs/en-US/images/egress-firewall-rule.png b/docs/en-US/images/egress-firewall-rule.png
new file mode 100644
index 0000000..fa1d8ec
Binary files /dev/null and b/docs/en-US/images/egress-firewall-rule.png differ

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2beb66fd/docs/en-US/ip-forwarding-firewalling.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/ip-forwarding-firewalling.xml b/docs/en-US/ip-forwarding-firewalling.xml
index c154b07..54e18b7 100644
--- a/docs/en-US/ip-forwarding-firewalling.xml
+++ b/docs/en-US/ip-forwarding-firewalling.xml
@@ -3,28 +3,30 @@
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
-
 <!-- Licensed to the Apache Software Foundation (ASF) under one
-    or more contributor license agreements.  See the NOTICE file
-    distributed with this work for additional information
-    regarding copyright ownership.  The ASF licenses this file
-    to you under the Apache License, Version 2.0 (the
-    "License"); you may not use this file except in compliance
-    with the License.  You may obtain a copy of the License at
-    
-    http://www.apache.org/licenses/LICENSE-2.0
-    
-    Unless required by applicable law or agreed to in writing,
-    software distributed under the License is distributed on an
-    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-    KIND, either express or implied.  See the License for the
-    specific language governing permissions and limitations
-    under the License.
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
 -->
 <section id="ip-forwarding-firewalling">
-    <title>IP Forwarding and Firewalling</title>
-    <para>By default, all incoming traffic to the public IP address is rejected. All
outgoing traffic from the guests is translated via NAT to the public IP address and is allowed.</para>
-    <para>To allow incoming traffic, users may set up firewall rules and/or port forwarding
rules. For example, you can use a firewall rule to open a range of ports on the public IP
address, such as 33 through 44. Then use port forwarding rules to direct traffic from individual
ports within that range to specific ports on user VMs. For example, one port forwarding rule
could route incoming traffic on the public IP's port 33 to port 100 on one user VM's private
IP.</para>
-    <xi:include href="firewall-rules.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
-    <xi:include href="port-forwarding.xml" xmlns:xi="http://www.w3.org/2001/XInclude"
/>
+  <title>IP Forwarding and Firewalling</title>
+  <para>By default, all incoming traffic to the public IP address is rejected. All
outgoing traffic
+    from the guests is translated via NAT to the public IP address and is allowed.</para>
+  <para>To allow incoming traffic, users may set up firewall rules and/or port forwarding
rules. For
+    example, you can use a firewall rule to open a range of ports on the public IP address,
such as
+    33 through 44. Then use port forwarding rules to direct traffic from individual ports
within
+    that range to specific ports on user VMs. For example, one port forwarding rule could
route
+    incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP.</para>
+   <xi:include href="egress-firewall-rule.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="port-forwarding.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
 </section>


Mime
View raw message