cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Chan <will.c...@citrix.com>
Subject RE: Anyway to disable the firewall functionality provided by the virtual router in 3.0.x?
Date Sat, 26 May 2012 14:07:11 GMT
You want openfirewall=true.  Or simply remove it as the default is to open it.

Will

________________________________________
From: Jason Davis [scr512@gmail.com]
Sent: Friday, May 25, 2012 2:09 PM
To: cloudstack-users@incubator.apache.org
Subject: Re: Anyway to disable the firewall functionality provided by the virtual router in
3.0.x?

Hmm, I've tested this and I can confirm that in my api-log that I am
passing the openfirewall command but when testing with-in the UI, it still
doesn't seem to create the proper firewall rules for me.

On Fri, May 25, 2012 at 1:43 PM, Jason Davis <scr512@gmail.com> wrote:

> Thanks! I'll give that a go.
>
>
> On Fri, May 25, 2012 at 1:39 PM, Brian Federle <Brian.Federle@citrix.com>wrote:
>
>> One idea might be to modify the createURL function, which every server
>> call uses to generate a URL for the API call. openfirewall=false could be
>> passed there and will apply to all actions in the UI.
>>
>>
>>
>> createURL is in /ui/scripts/sharedFunctions.js; modify urlString to add
>> additional params:
>>
>>
>>
>> //API calls
>>
>> function createURL(apiName, options) {
>>
>>  if (!options) options = {};
>>
>> var urlString = clientApiUrl + "?" + "command=" + apiName
>> +"&response=json&sessionkey=" + g_sessionKey;
>>
>>
>>
>> urlString = urlString + '&openfirewall=false';
>>
>> ...
>>
>> }
>>
>>
>>
>> Hope that helps!
>>
>> ________________________________________
>>
>> From: Jason Davis [scr512@gmail.com]
>>
>> Sent: Thursday, May 24, 2012 3:01 PM
>>
>> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> Subject: Re: Anyway to disable the firewall functionality provided by the
>> virtual router in 3.0.x?
>>
>>
>>
>> Any hints to where this configuration would be done :)
>>
>>
>>
>> Sent from my iPhone
>>
>>
>>
>> On May 24, 2012, at 4:32 PM, Will Chan <will.chan@citrix.com<mailto:
>> will.chan@citrix.com>> wrote:
>>
>>
>>
>> > Ok, glad you clarified it for me.  In 2.2.11+, all
>> XXXPortForwardingRule and XXXLoadBalancer API calls automatically called
>> the XXXFirewallRule API.  You could always turn that off by passing
>> openfirewall=false in the create commands.  Subsequently, the UI had
>> supported both ways of doing this as you know already by using the
>> firewall.rule.ui setting so people did not have to deal with this split.
>>  In 3.0.x, the API remains unchanged, but the UI no longer supports this
>> and the 3.0.x UI always makes calls with openfirewall=false.
>>
>> >
>>
>> > To achieve what you want, you  would need to tweak the UI to make API
>> calls with openfirewall=true (or remove it since the default is true) and
>> change the UI to no longer show the firewall portion.  Changing the network
>> offering turns off and on the service and if you disable the firewall from
>> the network offering, you will end up disabling the port forwarding feature
>> I believe.
>>
>> >
>>
>> > The other option is to re-introduce this back into the CloudStack.
>>
>> >
>>
>> > -----Original Message-----
>>
>> > From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> > Sent: Thursday, May 24, 2012 1:49 PM
>>
>> > To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> > Subject: Re: Anyway to disable the firewall functionality provided by
>> the virtual router in 3.0.x?
>>
>> >
>>
>> > Well, I want it to behave as it did in 2.2.14-3.0.0.
>>
>> >
>>
>> > ie: I can provide isolation through portforwarding ranges and have the
>> firewall disabled. My concern is that when I upgrade to 3.0.2 that I'll
>> have to essentially re-teach my end users how to gain remote access to
>> their VM instances.
>>
>> >
>>
>> > In the documentation and in previous builds, you could turn the
>> firewall off entirely via a global setting. This is the functionality I am
>> wishing to accomplish.
>>
>> >
>>
>> > No firewall, just services like portforwarding, dhcp, dns,
>> loadbalancing, source nat, static nat in my network offering.
>>
>> >
>>
>> > On Thu, May 24, 2012 at 3:45 PM, Will Chan <will.chan@citrix.com
>> <mailto:will.chan@citrix.com>> wrote:
>>
>> >
>>
>> >> Can you describe what you would like to do?  I thought for a moment
>>
>> >> you simply wanted the UI to act in the same way as in 2.2.x.
>>
>> >> However, from your response, it looks like you want to remove the
>>
>> >> firewall feature from the virtual router altogether, including all the
>> port forwarding feature?
>>
>> >>
>>
>> >> Will
>>
>> >>
>>
>> >> -----Original Message-----
>>
>> >> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> >> Sent: Thursday, May 24, 2012 1:32 PM
>>
>> >> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> >> Subject: Re: Anyway to disable the firewall functionality provided by
>>
>> >> the virtual router in 3.0.x?
>>
>> >>
>>
>> >> Ah so if I create my network offering via the API then I can achieve
>>
>> >> what I want?
>>
>> >>
>>
>> >> If that's so, good enough :) I am more than happy to do API calls.
>>
>> >>
>>
>> >> /me goes to RTFM
>>
>> >>
>>
>> >> On Thu, May 24, 2012 at 3:30 PM, Will Chan <will.chan@citrix.com
>> <mailto:will.chan@citrix.com>> wrote:
>>
>> >>
>>
>> >>> Since 3.0.x, that feature was turned off from the default UI and
>>
>> >>> expect everyone to use the firewall feature.  The API still honors
>>
>> >>> the old functionality so you can always custom change the UI to
>>
>> >>> reflect the same behavior in 2.2.x.
>>
>> >>>
>>
>> >>> Will
>>
>> >>>
>>
>> >>> -----Original Message-----
>>
>> >>> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> >>> Sent: Thursday, May 24, 2012 12:28 PM
>>
>> >>> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> >>> Subject: Anyway to disable the firewall functionality provided by
>>
>> >>> the virtual router in 3.0.x?
>>
>> >>>
>>
>> >>> So, in 2.2.x with advanced networking you could disable the firewall
>>
>> >>> by setting the global setting  firewall.rule.ui.enabled to false. I
>>
>> >>> am trying to replicate this functionality in my upgraded development
>>
>> >>> instance
>>
>> >>> (2.2.14->3.0.2) but this global setting no longer exists in the UI.
>>
>> >>>
>>
>> >>> I've also tried to create a new isolated networking offering with
>>
>> >>> the firewall functionality disabled. However, anytime I try this the
>>
>> >>> firewall setting ends up being enabled anyway.
>>
>> >>>
>>
>> >>> Thanks!
>>
>> >>> Jason
>>
>> >>>
>>
>> >>
>>
>>
>
Mime
View raw message