cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karuturi <...@git.apache.org>
Subject [GitHub] cloudstack pull request: CLOUDSTACK-8925 - Default allow for Egres...
Date Tue, 03 Nov 2015 09:51:35 GMT
Github user karuturi commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153301644
  
    @wilderrodrigues apart from the issue mentioned in CLOUDSTACK-9018, I found the below
issue.
    The egress rule added in a default egress ALLOW network doesnt block the traffic.
    
    On default egress DENY network, I added a rule to allow 22. iptables rules look fine and
I am able to ssh from a vm created in this network
    ```
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0        
   tcp dpt:22
        4   288 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    ```
    
    ```
    [root@egress-deny-vm ~]# ssh 10.147.28.48
    root@10.147.28.48's password:
    Last login: Tue Nov  3 08:49:09 2015 from 10.147.30.176
    ```
    once I delete the rule, I am not able to ssh from the vm anymore and iptables rule is
deleted. Which is expected. 
    
    But, incase of default egress ALLLOW network, any egress rule added should be to block
the traffic. ie) rules should be added with target DROP
    when I add egress rule to block 22, iptables rule created is to accept 22 and the port
is not blocked
    ```
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0        
   tcp dpt:22
        1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    ```
    and ssh is not blocked from a vm created in this network(even after creating the egress
rule to block it).
    ```
    root@10.147.28.48's password:
    Last login: Tue Nov  3 08:55:04 2015 from 10.147.30.173
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message