Return-Path: 
 <issues-return-37421-apmail-cloudstack-issues-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-issues-archive@www.apache.org
Delivered-To: apmail-cloudstack-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A134410517
	for <apmail-cloudstack-issues-archive@www.apache.org>;
 Tue, 14 Jan 2014 01:06:13 +0000 (UTC)
Received: (qmail 83986 invoked by uid 500); 14 Jan 2014 01:06:05 -0000
Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org
Received: (qmail 83790 invoked by uid 500); 14 Jan 2014 01:05:58 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 83736 invoked by uid 500); 14 Jan 2014 01:05:54 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 83722 invoked by uid 99); 14 Jan 2014 01:05:53 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Jan 2014 01:05:53 +0000
Date: Tue, 14 Jan 2014 01:05:53 +0000 (UTC)
From: "Chandan Purushothama (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12678761.1384250547689.90514.1389661553068@arcas>
In-Reply-To: <JIRA.12678761.1384250547689@arcas>
References: <JIRA.12678761.1384250547689@arcas>
Subject: [jira] [Commented] (CLOUDSTACK-5144) [Automation]: Basic Zone
 Security Groups - SSH to VM is allowed even when there is no ingress rule
 defined for the security group
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13870222#comment-13870222 ] 

Chandan Purushothama commented on CLOUDSTACK-5144:
--------------------------------------------------

I am able to reproduce this bug on XenServer 6.2 Setup:

1. Deployed a Basic Zone Setup.
2. Deployed a User VM in the admin account.
3. Successfully sshed into the VM inspite of no ingress rules

=====================
Iptables Rules on the Host:
=====================

[root@Rack3Host6 ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Jan 13 16:27:17 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2303893:4874626115]
:BRIDGE-DEFAULT-FIREWALL - [0:0]
:BRIDGE-FIREWALL - [0:0]
:RH-Firewall-1-INPUT - [0:0]
:i-2-3-BASIC - [0:0]
:i-2-3-BASIC-eg - [0:0]
:i-2-3-def - [0:0]
:r-4-BASIC - [0:0]
:s-2-BASIC - [0:0]
:v-1-BASIC - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -m physdev  --physdev-is-bridged -j BRIDGE-FIREWALL
-A FORWARD -m physdev  --physdev-out eth1+ --physdev-is-bridged -j ACCEPT
-A FORWARD -m physdev  --physdev-out eth0+ --physdev-is-bridged -j ACCEPT
-A FORWARD -j DROP
-A BRIDGE-DEFAULT-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BRIDGE-DEFAULT-FIREWALL -p udp -m physdev  --physdev-is-bridged -m udp --sport 68 --dport 67 -j ACCEPT
-A BRIDGE-DEFAULT-FIREWALL -p udp -m physdev  --physdev-is-bridged -m udp --sport 67 --dport 68 -j ACCEPT
-A BRIDGE-FIREWALL -j BRIDGE-DEFAULT-FIREWALL
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif7.0 --physdev-is-bridged -j i-2-3-def
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif6.0 --physdev-is-bridged -j r-4-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif6.1 --physdev-is-bridged -j r-4-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif3.2 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif3.0 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif3.1 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif4.2 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif4.0 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif4.1 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-in vif4.3 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif4.3 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif4.1 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif4.0 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif4.2 --physdev-is-bridged -j s-2-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif3.1 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif3.0 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif3.2 --physdev-is-bridged -j v-1-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif6.1 --physdev-is-bridged -j r-4-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif6.0 --physdev-is-bridged -j r-4-BASIC
-A BRIDGE-FIREWALL -m physdev  --physdev-out vif7.0 --physdev-is-bridged -j i-2-3-def
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A i-2-3-BASIC -j DROP
-A i-2-3-BASIC-eg -j RETURN
-A i-2-3-def -p udp -m physdev  --physdev-in vif7.0 --physdev-is-bridged -m set --set i-2-3-BASIC src -m udp --dport 53 -j RETURN
-A i-2-3-def -m physdev  --physdev-in vif7.0 --physdev-is-bridged -m set !--set i-2-3-BASIC src -j DROP
-A i-2-3-def -m physdev  --physdev-out vif7.0 --physdev-is-bridged -m set !--set i-2-3-BASIC dst -j DROP
-A i-2-3-def -m physdev  --physdev-in vif7.0 --physdev-is-bridged -m set --set i-2-3-BASIC src -j i-2-3-BASIC-eg
-A i-2-3-def -m physdev  --physdev-out vif7.0 --physdev-is-bridged -j i-2-3-BASIC
-A r-4-BASIC -m physdev  --physdev-in vif6.0 --physdev-is-bridged -j RETURN
-A r-4-BASIC -m physdev  --physdev-in vif6.1 --physdev-is-bridged -j RETURN
-A r-4-BASIC -j ACCEPT
-A s-2-BASIC -m physdev  --physdev-in vif4.2 --physdev-is-bridged -j RETURN
-A s-2-BASIC -m physdev  --physdev-in vif4.0 --physdev-is-bridged -j RETURN
-A s-2-BASIC -m physdev  --physdev-in vif4.1 --physdev-is-bridged -j RETURN
-A s-2-BASIC -m physdev  --physdev-in vif4.3 --physdev-is-bridged -j RETURN
-A s-2-BASIC -j ACCEPT
-A v-1-BASIC -m physdev  --physdev-in vif3.2 --physdev-is-bridged -j RETURN
-A v-1-BASIC -m physdev  --physdev-in vif3.0 --physdev-is-bridged -j RETURN
-A v-1-BASIC -m physdev  --physdev-in vif3.1 --physdev-is-bridged -j RETURN
-A v-1-BASIC -j ACCEPT
COMMIT
# Completed on Mon Jan 13 16:27:17 2014
[root@Rack3Host6 ~]#

[root@Rack3Host6 ~]# ipset -L
Name: i-2-3-BASIC
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
10.223.57.82

[root@Rack3Host6 ~]#



> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5144
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.3.0
>            Reporter: Gaurav Aradhye
>            Assignee: Wei Zhou
>            Priority: Blocker
>              Labels: automation
>             Fix For: 4.3.0
>
>         Attachments: MS-Log.txt, agent.log, agent.log, ipset-L output.txt, iptables-rules.txt, log.zip, management-server.log, management-server.zip
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group belonging to the account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is not defined.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)