cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8030) Isolated network without firewall service doesn't allow egress traffic
Date Fri, 05 Dec 2014 11:15:13 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235381#comment-14235381
] 

Jayapal Reddy commented on CLOUDSTACK-8030:
-------------------------------------------

On router bootup default iptables rules configured. The default rules blocks the egress traffic.
If the network offering egress policy is true then on network creation egress allow rule is
configured on the router.
If the egress policy is false then CS will not send rule to VR on network creation.
Egress rule service is provided by the 'Firewall provider'. 
In this issue there is no firewall provider. So there is no way to configure egress rule on
the VR.

The current logic needs to changed as below.
1. The default VR iptables rules should configured to allow egress traffic.
2. On network creation if egress policy is DENY then configure rule to DROP the traffic.
3. If network has only source nat with out firewall, VR will allow the egress default.

> Isolated network without firewall service doesn't allow egress traffic
> ----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8030
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8030
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.5.0
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>             Fix For: 4.5.0
>
>
> An isolated network , created with an offering having DHCP, DNS, Source NAT, LB (Netscaler),
which doesn't use Firewall service from VR has Egress rules default allow. But the iptables
FW_Outbound chain doesn't have a rule to allow traffic from VMs to outside networks.
> This offering will be of no use even when the Egress default is allow all. Either the
user should not be allowed to create an offering without firewall or the iptables rule should
be added to allow egress traffic.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message