cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angeline shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-2220) SRX - By default, egress traffic is NOT BLOCKED from guest network to public network
Date Thu, 02 May 2013 21:02:17 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13647903#comment-13647903
] 

angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------

1. I see you inactivated default-policy.   So from MS UI,  all VMs blocked from EGRESS.  OK.
This works

2. However, from MS UI, network adminsrx, I added following Egress rules:

CIDR       protocol   port    
0.0.0.0/0   TCP       1 -  8090
0.0.0.0/0   ICMP      -1          -1

>From all VMs, STILL unable to ping or ssh to outside world

SRX security policies settings:

root# show security policies 
from-zone trust to-zone trust {
    policy trust-to-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy destnat-untrust-trust-10-0-81-119 {
        match {
            source-address any;
            destination-address 10-0-81-119;
            application tcp-22-22;
        }
        then {
            permit;
            count;
        }
    }
    policy destnat-untrust-trust-10-0-145-162 {
        match {
            source-address any;
            destination-address 10-0-145-162;
            application tcp-22-22;
        }
        then {
            permit;
            count;
        }
    }
    policy destnat-untrust-trust-10-0-92-19 {
        match {
            source-address any;
            destination-address 10-0-92-19;
            application tcp-22-22;
        }
        then {
            permit;
            count;
        }
    }
}
from-zone trust to-zone untrust {
    policy egress-trust-untrust-2486 {
        match {
            source-address 0-0-0-0-0;
            destination-address any;
            application [ egress-tcp-1-8090 egress-icmp-255-255 ];
        }
        then {
            permit;
            count;
        }
    }
}
default-policy {
    inactive: permit-all;
}

[edit]


root# root# show security nat 
source {
    rule-set trust {
        from zone trust;
        to zone untrust;
        rule i-nat {
            match {
                source-address 10.0.0.0/8;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
destination {
    pool 10-0-81-119-22 {
        address 10.0.81.119/32 port 22;
    }
    pool 10-0-145-162-22 {
        address 10.0.145.162/32 port 22;
    }
    pool 10-0-92-19-22 {
        address 10.0.92.19/32 port 22;
    }
    rule-set untrust {
        from zone untrust;
        rule destnatrule-300973196 {
            match {
                destination-address 10.223.123.13/32;
                destination-port 22;
            }
            then {
                destination-nat pool 10-0-81-119-22;
            }
        }
        rule destnatrule-1560619096 {
            match {
                destination-address 10.223.123.14/32;
                destination-port 22;
            }
            then {
                destination-nat pool 10-0-145-162-22;
            }
        }
        rule destnatrule-1229587959 {
            match {
                destination-address 10.223.123.11/32;
                destination-port 22;
            }
            then {
                destination-nat pool 10-0-92-19-22;
            }
        }
    }
}
proxy-arp {
    interface fe-0/0/3.1230 {
        address {
            10.223.123.13/32;
            10.223.123.14/32;
            10.223.123.11/32;
        }
    }                                   
}

[edit]
root# 



                
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public network

> -------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-2220
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>         Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision: 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
>            Reporter: angeline shen
>            Assignee: Jayapal Reddy
>            Priority: Critical
>             Fix For: 4.2.0
>
>         Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision: 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router firewall:
SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX portforward: SRX sourceNAT type:
perzone
> 2. domain: ROOT admin
>    domain: /d1 domain admin: d1domain
>    domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs . 
>     BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d1domain repeat above steps
>    BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d2user repeat above steps 
>    BUG:   login  any VM  via console:  able to ping  www.google.com

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message