cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gaurav Aradhye (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5144) [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no ingress rule defined for the security group
Date Mon, 23 Dec 2013 12:38:50 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13855601#comment-13855601
] 

Gaurav Aradhye commented on CLOUDSTACK-5144:
--------------------------------------------

Jayapal, I am not able to get the iptables from basic zone setup host as the setup is down
currently, but I am able to reproduce this issue in Security group enabled advanced zone setup
too and following are the iptables from the host.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts      bytes     target        prot     opt  in  out            source               destination
        
    0           0       ACCEPT     47        --    *      *            0.0.0.0/0         
  0.0.0.0/0           
  64M   63G RH-Firewall-1-INPUT  all  --  *      *          0.0.0.0/0            0.0.0.0/0
          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain OUTPUT (policy ACCEPT 56M packets, 93G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes       target           prot       opt       in            out     source     
         destination         
  35M   49G    ACCEPT        all           --        lo             *       0.0.0.0/0    
       0.0.0.0/0           
 8159  497K   ACCEPT       icmp        --         *              *       0.0.0.0/0       
    0.0.0.0/0           icmp type 255 
    0     0         ACCEPT        esp         --         *              *       0.0.0.0/0
           0.0.0.0/0           
    0     0         ACCEPT        ah           --         *              *       0.0.0.0/0
           0.0.0.0/0           
    0     0         ACCEPT       udp          --         *              *       0.0.0.0/0
           224.0.0.251         udp dpt:5353 
    0     0         ACCEPT       udp          --         *              *         0.0.0.0/0
           0.0.0.0/0           udp dpt:631 
    0     0        ACCEPT        tcp           --         *              *       0.0.0.0/0
           0.0.0.0/0           tcp dpt:631 
    0     0        ACCEPT       udp           --      xenapi        *       0.0.0.0/0    
       0.0.0.0/0           udp dpt:67 
  24M 13G    ACCEPT        all             --         *              *       0.0.0.0/0   
        0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0        ACCEPT       udp           --         *              *       0.0.0.0/0
           0.0.0.0/0           state NEW udp dpt:694 
   14   832    ACCEPT         tcp           --         *              *       0.0.0.0/0  
         0.0.0.0/0           state NEW tcp dpt:22 
 3918 204K  ACCEPT        tcp            --         *              *       0.0.0.0/0     
      0.0.0.0/0           state NEW tcp dpt:80 
 227K   14M ACCEPT        tcp            --         *              *       0.0.0.0/0     
      0.0.0.0/0           state NEW tcp dpt:443 
5225K 1015M REJECT     all              --         *              *       0.0.0.0/0      
     0.0.0.0/0           reject-with icmp-host-prohibited

> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no
ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5144
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.3.0
>            Reporter: Gaurav Aradhye
>            Assignee: Gaurav Aradhye
>            Priority: Critical
>              Labels: automation
>             Fix For: 4.3.0
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group belonging to the
account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is not defined.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message