cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koushik Das <koushik....@citrix.com>
Subject RE: Firewall rule question
Date Wed, 15 May 2013 05:49:40 GMT

> -----Original Message-----
> From: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com]
> Sent: Wednesday, May 15, 2013 10:29 AM
> To: dev@cloudstack.apache.org; aemneina@gmail.com
> Subject: RE: Firewall rule question
> 
> For the createFirewallRule and createEgressFirewallRule APIs the port
> parameters are optional.
> If you don't specify the port range for the prototocol (TCP) it allows all the tcp
> traffic.
> 
> Ingress:
> 1.  First firewall rules filters traffic  then PF/Static NAT will NAT to the specific
> VM.
> If you specify tcp with out ports all tcp traffic on IP is allowed then PF/Static
> NAT  rule (PF ports) decides to which VM the traffic should be NATed.
> 
> Egress:
> Traffic from guest network to public network is filtered by egress.
> If you specify the tcp with out ports all egress tcp traffic is allowed.
> 

In case of egress even the cidr is optional. If nothing is specified it defaults to the guest
network cidr.

> Thanks,
> Jayapal
> 
> > -----Original Message-----
> > From: williamstevens@gmail.com [mailto:williamstevens@gmail.com] On
> > Behalf Of Will Stevens
> > Sent: Wednesday, 15 May 2013 12:19 AM
> > To: dev@cloudstack.apache.org; aemneina@gmail.com
> > Subject: Re: Firewall rule question
> >
> > Ya, I am not sure.  I am working off a master branch from about 2-3
> > weeks ago.  I was kind of expecting it to error and it didn't, so it
> > was not clear how that case would behave.  I am currently developing
> > an integration with the Palo Alto firewall and they don't support
> > specifying a protocol like TCP without any port information.  I still
> > have to finalize the logic associated with that edge case, so I wanted
> > to understand what the expected behaviour was from that config.
> >
> >
> > On Tue, May 14, 2013 at 2:41 PM, Ahmad Emneina <aemneina@gmail.com>
> > wrote:
> >
> > > I'm hoping thats not the default behavior, and nothing happens on
> > > the firewall. I guess the fact that empty values entered returns
> > > success is a bug?
> > >
> > >
> > > On Tue, May 14, 2013 at 8:00 AM, Will Stevens
> > > <wstevens@cloudops.com>
> > > wrote:
> > >
> > > > This applies to both Egress firewall rules as well as IP specific
> > > firewall
> > > > rules.
> > > >
> > > > If you specify TCP but do not specify any port details, it saves
> > > > fine.  I am wondering what this config implies.  Does this mean
> > > > that all TCP
> > > traffic
> > > > is allowed?
> > > >
> > > > Thanks,
> > > >
> > > > Will
> > > >
> > >

Mime
View raw message