cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angeline shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-2220) SRX - By default, egress traffic is NOT BLOCKED from guest network to public network
Date Tue, 30 Apr 2013 19:46:16 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645891#comment-13645891
] 

angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------

SRX  device:

root@% cli
root> configure 
Entering configuration mode

[edit]
root# show interfaces 
fe-0/0/1 {
    unit 0 {
        family inet {
            address 10.223.52.62/26;
        }
    }
}
fe-0/0/2 {
    vlan-tagging;
    unit 2486 {
        vlan-id 2486;
        family inet {
            filter {
                input vlan-input-2486;
                output vlan-output-2486;
            }
            address 10.0.80.1/20;
        }
    }
}
fe-0/0/3 {
    vlan-tagging;
    unit 1230 {
        vlan-id 1230;
        family inet {
            filter {
                input untrust;
            }
            address 10.223.123.62/26;
        }
    }
}



root# show firewall 
filter untrust {
    term return-traffic-tcp {
        from {
            tcp-established;
        }
        then accept;
    }
    term return-traffic-ping {
        from {
            icmp-type 0;
            icmp-code 0;
        }
        then accept;
    }
    term return-traffic-dns {
        from {
            protocol udp;
            port 53;
        }
        then accept;
    }
    term 10-223-123-13-1 {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-address {
                10.223.123.13/32;
            }
            protocol tcp;
            destination-port 1-8090;
        }
        then {
            count 10-223-123-13-i;      
            accept;
        }
    }
}
filter vlan-output-2486 {
    term vlan-output-2486 {
        then {
            count vlan-output-2486;
            accept;
        }
    }
}
filter vlan-input-2486 {
    term vlan-input-2486 {
        then {
            count vlan-input-2486;
            accept;
        }
    }
}


root# show security policies  
from-zone trust to-zone trust {
    policy trust-to-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy destnat-untrust-trust-10-0-81-119 {
        match {
            source-address any;
            destination-address 10-0-81-119;
            application tcp-22-22;
        }
        then {
            permit;
            count;
        }
    }
}
default-policy {
    permit-all;
}




root# show security nat 
source {
    rule-set trust {
        from zone trust;
        to zone untrust;
        rule i-nat {
            match {
                source-address 10.0.0.0/8;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
destination {
    pool 10-0-81-119-22 {
        address 10.0.81.119/32 port 22;
    }
    rule-set untrust {
        from zone untrust;
        rule destnatrule-300973196 {
            match {
                destination-address 10.223.123.13/32;
                destination-port 22;
            }
            then {
                destination-nat pool 10-0-81-119-22;
            }
        }
    }
}
proxy-arp {
    interface fe-0/0/3.1230 {
        address {
            10.223.123.13/32;
        }
    }
}






                
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public network

> -------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-2220
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>         Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision: 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
>            Reporter: angeline shen
>            Assignee: Jayapal Reddy
>            Priority: Critical
>             Fix For: 4.2.0
>
>         Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision: 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router firewall:
SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX portforward: SRX sourceNAT type:
perzone
> 2. domain: ROOT admin
>    domain: /d1 domain admin: d1domain
>    domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs . 
>     BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d1domain repeat above steps
>    BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d2user repeat above steps 
>    BUG:   login  any VM  via console:  able to ping  www.google.com

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message