cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kishan Kavala <Kishan.Kav...@citrix.com>
Subject RE: [Blocker] Default ip table rules on VR
Date Thu, 30 Jul 2015 08:43:34 GMT
This is a security issue with high impact.
We should treat it as a blocker.

-----Original Message-----
From: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
Sent: 30 July 2015 02:07 PM
To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org>
Subject: Re: [Blocker] Default ip table rules on VR

I see VR ingress traffic is blocked by default from iptables mangle table.
But on the guest interface all the traffic is accepted.
Also egress firewall rule will break because of FORWARD policy.

Thanks,
Jayapal

On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi <jayapalreddy.uradi@citrix.com> wrote:

> 
> It is security concern on the VR. All the ingress traffic onto the VR is accepted.
> Let it be blocker.
> 
> Thanks,
> Jayapal
> 
> On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogland@gmail.com>
> wrote:
> 
>> I changed it to critical. It is only a blocker if we agree on this 
>> list that it is.
>> 
>> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanjeev@apache.org> wrote:
>>> Hi,
>>> 
>>> In latest ACS builds, the ip table rules in VR have ACCEPT as the 
>>> default policy in INPUT and FORWARD chains, instead of DROP.
>>> 
>>> Created a blocker bug for this issue
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>>> 
>>> Can somebody please fix it?
>>> 
>>> Thanks,
>>> Sanjeev
>> 
>> 
>> 
>> --
>> Daan
> 


Mime
View raw message