cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: Useless egress in SG zone?
Date Tue, 28 Jan 2014 05:20:54 GMT
Hi Nux,


1. By default we are allowing egress in SG.
2. But when you configure any rule in egress, it allows ONLY configured rule traffic and other
traffic will be BLOCKED.

If admin wants allow to only specific ports/addresses this can be done by configuring SG egress
rules.

In my firewalls, the default egress is allow for trusted networks.

Thanks,
Jayapal

On 25-Jan-2014, at 6:58 AM, Nux! <nux@li.nux.ro> wrote:

> On 25.01.2014 01:12, Marcus Sorensen wrote:
>> Are you talking about the rules that ensure an instance can't bring up and
>> use IP addresses that are not assigned to it?
> 
> I'm not sure. Here's a pic:
> http://img.nux.ro/jC4b-Selection_015.png
> 
> The anti-spoofing is working ok, supposedly, but I was expecting that either:
> 1 - egress is blocked by default, just like ingress, so just ports/addresses specified
there can be accessed
> 2 - less orthodox, but since we allow all outgoing by default for a VM then make this
is a blacklist instead of a whitelist, ie ports/addresses specified here cannot be accessed
> 
> Do I make any sense?
> 
> Lucian
> 
> -- 
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro


Mime
View raw message