Return-Path: 
 <issues-return-12425-apmail-cloudstack-issues-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-issues-archive@www.apache.org
Delivered-To: apmail-cloudstack-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E0B6510B44
	for <apmail-cloudstack-issues-archive@www.apache.org>;
 Tue,  2 Jul 2013 07:01:27 +0000 (UTC)
Received: (qmail 41159 invoked by uid 500); 2 Jul 2013 07:01:27 -0000
Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org
Received: (qmail 41069 invoked by uid 500); 2 Jul 2013 07:01:26 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 41028 invoked by uid 500); 2 Jul 2013 07:01:24 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 41016 invoked by uid 99); 2 Jul 2013 07:01:23 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jul 2013 07:01:23 +0000
Date: Tue, 2 Jul 2013 07:01:22 +0000 (UTC)
From: "Kishan Kavala (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12654261.1371854228605.197122.1372748482778@arcas>
In-Reply-To: <JIRA.12654261.1371854228605@arcas>
References: <JIRA.12654261.1371854228605@arcas>
Subject: [jira] [Assigned] (CLOUDSTACK-3129) NTier: All Outgoing Traffic
 between Tiers and various gateways/tiers is currently allowed by default
 contrary to behavior mentioned in the Design Document
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/CLOUDSTACK-3129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kishan Kavala reassigned CLOUDSTACK-3129:
-----------------------------------------

    Assignee: Kishan Kavala
    
> NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3129
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Assignee: Kishan Kavala
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> ======================
> On The VPC Virtual Router:
> ======================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> ========================
> Network Information of eth3 NIC:
> ========================
> mysql> select * from networks where id=208 \G
> *************************** 1. row ***************************
>                    id: 208
>                  name: Atoms-VPC-Net-2
>                  uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
>          display_text: Atoms-VPC-Net-2
>          traffic_type: Guest
> broadcast_domain_type: Vlan
>         broadcast_uri: vlan://2580
>               gateway: 192.168.11.1
>                  cidr: 192.168.11.0/24
>                  mode: Dhcp
>   network_offering_id: 12
>   physical_network_id: 200
>        data_center_id: 1
>             guru_name: ExternalGuestNetworkGuru
>                 state: Implemented
>               related: 208
>             domain_id: 1
>            account_id: 3
>                  dns1: NULL
>                  dns2: NULL
>             guru_data: NULL
>            set_fields: 0
>              acl_type: Account
>        network_domain: atomsvpcnet1.lab.vmops.com
>        reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
>            guest_type: Isolated
>      restart_required: 0
>               created: 2013-06-21 21:24:45
>               removed: NULL
>     specify_ip_ranges: 0
>                vpc_id: 1
>           ip6_gateway: NULL
>              ip6_cidr: NULL
>          network_cidr: NULL
>       display_network: 1
>        network_acl_id: NULL
> 1 row in set (0.00 sec)
> mysql>
> ==============================================================
> As per the FS at https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
> ==============================================================
> ACL Deny Rules
> Currently only ACL allow rules are supported as part of Network ACLs. Default is to block all incoming and all outgoing traffic between tiers and between tiers and various gateways (including Public).  ACL deny rules will be supported through this feature. New fields "number"  and "action"will be added to rules to resolve conflicting rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira