cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8030) Isolated network without firewall service doesn't allow egress traffic
Date Wed, 10 Dec 2014 05:24:12 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14240671#comment-14240671
] 

ASF subversion and git services commented on CLOUDSTACK-8030:
-------------------------------------------------------------

Commit 8278d88f76ee129af75cd585b916bd6719e34e4c in cloudstack's branch refs/heads/4.5 from
Jayapal
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8278d88 ]

CLOUDSTACK-8030: Updated router to come up egress default ALLOW

    On default iptables rules are updated to add ACCEPT egress traffic.
    If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule
which
    is egress default rule when there are no other egress rules.

    If the CS network egress default policy is true, CS won't configure any default rule for
egress because
    router already came up to accept egress traffic. If there are already egress rules for
network then the
    egress rules get applied on VR.

    For isolated network with out firewall service, VR default allows egress traffic (guestnetwork
--> public network)


> Isolated network without firewall service doesn't allow egress traffic
> ----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8030
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8030
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.5.0
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>             Fix For: 4.5.0
>
>
> An isolated network , created with an offering having DHCP, DNS, Source NAT, LB (Netscaler),
which doesn't use Firewall service from VR has Egress rules default allow. But the iptables
FW_Outbound chain doesn't have a rule to allow traffic from VMs to outside networks.
> This offering will be of no use even when the Egress default is allow all. Either the
user should not be allowed to create an offering without firewall or the iptables rule should
be added to allow egress traffic.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message