cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wilderrodrigues <...@git.apache.org>
Subject [GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Date Mon, 31 Aug 2015 12:12:37 GMT
GitHub user wilderrodrigues opened a pull request:

    https://github.com/apache/cloudstack/pull/765

    CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be se…

    …t to DROP instead of ACCEPT
    
      - In order to be able to access the routers via the link local interface, we have to
add a rules with NEW and ESTABLISHED state
    
    Tests:
    
    * Deployed 2 zones, basic and advanced, using KVM as hypervisor
    * On the basic zone, created 1 security group, added ingress rules to open port 22 and
deployed 1 VM
      * SSH into the router and checked that the INPUT/FORWARD policies were set to DROP
      * SSH to the VM
    * On the advanced zone, created 1 single VPC (with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL),
1 redundant VPC ((with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL)), 1 isolated network (with 1 VM
and 1 pub IP), 1 redundant network (with 1 VM and 1 pub IP)
      * SSH into all routers to check that the INPUT/FORWARD policies were set to DROP
      * SSH into all VMs to test the communication
    
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.26
    The authenticity of host '192.168.23.26 (192.168.23.26)' can't be established.
    RSA key fingerprint is cb:42:81:d0:05:97:f4:be:9e:3b:dd:3f:c6:d2:48:e7.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.26' (RSA) to the list of known hosts.
    root@192.168.23.26's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exit
    Connection to 192.168.23.26 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.22.63
    The authenticity of host '192.168.22.63 (192.168.22.63)' can't be established.
    RSA key fingerprint is a2:20:d6:e2:fb:c5:89:94:57:f5:89:b1:a1:6d:63:99.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.22.63' (RSA) to the list of known hosts.
    root@192.168.22.63's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exit
    Connection to 192.168.22.63 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.27 
    The authenticity of host '192.168.23.27 (192.168.23.27)' can't be established.
    RSA key fingerprint is 20:f1:6d:9b:74:c5:7b:53:10:5c:a0:0c:bc:9f:2a:29.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.27' (RSA) to the list of known hosts.
    root@192.168.23.27's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exitConnection to 192.168.23.27 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.28
    The authenticity of host '192.168.23.28 (192.168.23.28)' can't be established.
    RSA key fingerprint is f7:ae:49:46:ba:02:c1:25:5a:50:87:0e:6f:a4:43:a3.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.28' (RSA) to the list of known hosts.
    root@192.168.23.28's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exitConnection to 192.168.23.28 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.29
    The authenticity of host '192.168.23.29 (192.168.23.29)' can't be established.
    RSA key fingerprint is 09:0c:f2:41:a3:74:3d:ee:04:2b:78:ff:a9:91:0d:79.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.29' (RSA) to the list of known hosts.
    root@192.168.23.29's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exit
    Connection to 192.168.23.29 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.30
    The authenticity of host '192.168.23.30 (192.168.23.30)' can't be established.
    RSA key fingerprint is 2c:a6:10:f5:6d:4b:d1:70:e2:47:07:19:0b:86:c1:b0.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.30' (RSA) to the list of known hosts.
    
    root@192.168.23.30's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exitConnection to 192.168.23.30 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$
    
    sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.32
    The authenticity of host '192.168.23.32 (192.168.23.32)' can't be established.
    RSA key fingerprint is 6b:85:1e:c7:2e:aa:01:a2:d4:19:e3:ec:a7:69:a1:71.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.23.32' (RSA) to the list of known hosts.
    root@192.168.23.32's password: 
    # ls /
    bin         boot        dev         etc         home        lib         lib64       linuxrc
    lost+found  media       mnt         opt         proc        root        run         sbin
       sys         tmp         usr         var
    # exitConnection to 192.168.23.32 closed.
    sbpltk1zffh04:asf_cloudstack wrodrigues$ 
    
    I'm now running some automated tests, will post the results here once they are complete.
    
    @remibergsma @DaanHoogland @bhaisaab @miguelaferreira @wido @karuturi , could you guys
please have a look?
    
    Cheers,
    Wilder


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/schubergphilis/cloudstack fix/default_policies

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/765.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #765
    
----
commit f5e5f4d0026f8ffd6f3aa7e8e4c7be0cd809d6c9
Author: wilderrodrigues <wrodrigues@schubergphilis.com>
Date:   2015-08-27T13:21:30Z

    CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead
of ACCEPT
    
      - In order to be able to access the routers via the link local interface, we have to
add a rules with NEW and ESTABLISHED state

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message