cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wilder Rodrigues <WRodrig...@schubergphilis.com>
Subject Re: [Blocker] Default ip table rules on VR
Date Thu, 30 Jul 2015 12:35:37 GMT
Hi,

We discussed that one yesterday and I already assigned the issue to myself on Jira. I will
fix it.

Cheers,
WIlder



> On 30 Jul 2015, at 14:09, Sanjeev N <sanjeev@apache.org> wrote:
> 
> Agree with Kishan Kavala and Jayapal.
> 
> On Thu, Jul 30, 2015 at 2:13 PM, Kishan Kavala <Kishan.Kavala@citrix.com>
> wrote:
> 
>> This is a security issue with high impact.
>> We should treat it as a blocker.
>> 
>> -----Original Message-----
>> From: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com]
>> Sent: 30 July 2015 02:07 PM
>> To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org>
>> Subject: Re: [Blocker] Default ip table rules on VR
>> 
>> I see VR ingress traffic is blocked by default from iptables mangle table.
>> But on the guest interface all the traffic is accepted.
>> Also egress firewall rule will break because of FORWARD policy.
>> 
>> Thanks,
>> Jayapal
>> 
>> On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi <
>> jayapalreddy.uradi@citrix.com> wrote:
>> 
>>> 
>>> It is security concern on the VR. All the ingress traffic onto the VR is
>> accepted.
>>> Let it be blocker.
>>> 
>>> Thanks,
>>> Jayapal
>>> 
>>> On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogland@gmail.com>
>>> wrote:
>>> 
>>>> I changed it to critical. It is only a blocker if we agree on this
>>>> list that it is.
>>>> 
>>>> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanjeev@apache.org> wrote:
>>>>> Hi,
>>>>> 
>>>>> In latest ACS builds, the ip table rules in VR have ACCEPT as the
>>>>> default policy in INPUT and FORWARD chains, instead of DROP.
>>>>> 
>>>>> Created a blocker bug for this issue
>>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>>>>> 
>>>>> Can somebody please fix it?
>>>>> 
>>>>> Thanks,
>>>>> Sanjeev
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Daan
>>> 
>> 
>> 


Mime
View raw message