cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Davis <scr...@gmail.com>
Subject Re: Anyway to disable the firewall functionality provided by the virtual router in 3.0.x?
Date Sat, 26 May 2012 16:38:27 GMT
Right, let me show you what I have done:

sharedFunctions.js

//API calls
function createURL(apiName, options) {
  if (!options) options = {};
  var urlString = clientApiUrl + "?" + "command=" + apiName
+"&response=json&se$

  urlString = urlString + '&openfirewall=true';

  if (cloudStack.context && cloudStack.context.projects &&
!options.ignoreProje$
    urlString = urlString + '&projectid=' +
cloudStack.context.projects[0].id;
  }

  return urlString;
}

I then restarted the cloud-management daemon on my management server and
then logged in through the UI using a user account.

I then go and add a new portforward rule for my instance. Here is the
output of api-server.log

command=createPortForwardingRule&response=json&sessionkey=QmObgzdyeCnC0a6Uyy%2BVIYZelWM%3D&openfirewall=true&privateport=80&publicport=80&protocol=tcp&openfirewall=false&ipaddressid=f1fc5afe-db69-4093-a51d-570d5888ddca&virtualmachineid=717573a7-4287-4cdb-ae67-a008941b4f78&_=1338049749681

So, looks like I need to find where the other "openfirewall=false" is. I've
double checked that I don't have another occurrence in sharedFunctions.js
so my guess is that it is in another file.

Where... I'm not certain :)


On Sat, May 26, 2012 at 9:07 AM, Will Chan <will.chan@citrix.com> wrote:

> You want openfirewall=true.  Or simply remove it as the default is to open
> it.
>
> Will
>
> ________________________________________
> From: Jason Davis [scr512@gmail.com]
> Sent: Friday, May 25, 2012 2:09 PM
> To: cloudstack-users@incubator.apache.org
> Subject: Re: Anyway to disable the firewall functionality provided by the
> virtual router in 3.0.x?
>
> Hmm, I've tested this and I can confirm that in my api-log that I am
> passing the openfirewall command but when testing with-in the UI, it still
> doesn't seem to create the proper firewall rules for me.
>
> On Fri, May 25, 2012 at 1:43 PM, Jason Davis <scr512@gmail.com> wrote:
>
> > Thanks! I'll give that a go.
> >
> >
> > On Fri, May 25, 2012 at 1:39 PM, Brian Federle <Brian.Federle@citrix.com
> >wrote:
> >
> >> One idea might be to modify the createURL function, which every server
> >> call uses to generate a URL for the API call. openfirewall=false could
> be
> >> passed there and will apply to all actions in the UI.
> >>
> >>
> >>
> >> createURL is in /ui/scripts/sharedFunctions.js; modify urlString to add
> >> additional params:
> >>
> >>
> >>
> >> //API calls
> >>
> >> function createURL(apiName, options) {
> >>
> >>  if (!options) options = {};
> >>
> >> var urlString = clientApiUrl + "?" + "command=" + apiName
> >> +"&response=json&sessionkey=" + g_sessionKey;
> >>
> >>
> >>
> >> urlString = urlString + '&openfirewall=false';
> >>
> >> ...
> >>
> >> }
> >>
> >>
> >>
> >> Hope that helps!
> >>
> >> ________________________________________
> >>
> >> From: Jason Davis [scr512@gmail.com]
> >>
> >> Sent: Thursday, May 24, 2012 3:01 PM
> >>
> >> To: cloudstack-users@incubator.apache.org<mailto:
> >> cloudstack-users@incubator.apache.org>
> >>
> >> Subject: Re: Anyway to disable the firewall functionality provided by
> the
> >> virtual router in 3.0.x?
> >>
> >>
> >>
> >> Any hints to where this configuration would be done :)
> >>
> >>
> >>
> >> Sent from my iPhone
> >>
> >>
> >>
> >> On May 24, 2012, at 4:32 PM, Will Chan <will.chan@citrix.com<mailto:
> >> will.chan@citrix.com>> wrote:
> >>
> >>
> >>
> >> > Ok, glad you clarified it for me.  In 2.2.11+, all
> >> XXXPortForwardingRule and XXXLoadBalancer API calls automatically called
> >> the XXXFirewallRule API.  You could always turn that off by passing
> >> openfirewall=false in the create commands.  Subsequently, the UI had
> >> supported both ways of doing this as you know already by using the
> >> firewall.rule.ui setting so people did not have to deal with this split.
> >>  In 3.0.x, the API remains unchanged, but the UI no longer supports this
> >> and the 3.0.x UI always makes calls with openfirewall=false.
> >>
> >> >
> >>
> >> > To achieve what you want, you  would need to tweak the UI to make API
> >> calls with openfirewall=true (or remove it since the default is true)
> and
> >> change the UI to no longer show the firewall portion.  Changing the
> network
> >> offering turns off and on the service and if you disable the firewall
> from
> >> the network offering, you will end up disabling the port forwarding
> feature
> >> I believe.
> >>
> >> >
> >>
> >> > The other option is to re-introduce this back into the CloudStack.
> >>
> >> >
> >>
> >> > -----Original Message-----
> >>
> >> > From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
> >> scr512@gmail.com]>
> >>
> >> > Sent: Thursday, May 24, 2012 1:49 PM
> >>
> >> > To: cloudstack-users@incubator.apache.org<mailto:
> >> cloudstack-users@incubator.apache.org>
> >>
> >> > Subject: Re: Anyway to disable the firewall functionality provided by
> >> the virtual router in 3.0.x?
> >>
> >> >
> >>
> >> > Well, I want it to behave as it did in 2.2.14-3.0.0.
> >>
> >> >
> >>
> >> > ie: I can provide isolation through portforwarding ranges and have the
> >> firewall disabled. My concern is that when I upgrade to 3.0.2 that I'll
> >> have to essentially re-teach my end users how to gain remote access to
> >> their VM instances.
> >>
> >> >
> >>
> >> > In the documentation and in previous builds, you could turn the
> >> firewall off entirely via a global setting. This is the functionality I
> am
> >> wishing to accomplish.
> >>
> >> >
> >>
> >> > No firewall, just services like portforwarding, dhcp, dns,
> >> loadbalancing, source nat, static nat in my network offering.
> >>
> >> >
> >>
> >> > On Thu, May 24, 2012 at 3:45 PM, Will Chan <will.chan@citrix.com
> >> <mailto:will.chan@citrix.com>> wrote:
> >>
> >> >
> >>
> >> >> Can you describe what you would like to do?  I thought for a moment
> >>
> >> >> you simply wanted the UI to act in the same way as in 2.2.x.
> >>
> >> >> However, from your response, it looks like you want to remove the
> >>
> >> >> firewall feature from the virtual router altogether, including all
> the
> >> port forwarding feature?
> >>
> >> >>
> >>
> >> >> Will
> >>
> >> >>
> >>
> >> >> -----Original Message-----
> >>
> >> >> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
> >> scr512@gmail.com]>
> >>
> >> >> Sent: Thursday, May 24, 2012 1:32 PM
> >>
> >> >> To: cloudstack-users@incubator.apache.org<mailto:
> >> cloudstack-users@incubator.apache.org>
> >>
> >> >> Subject: Re: Anyway to disable the firewall functionality provided
by
> >>
> >> >> the virtual router in 3.0.x?
> >>
> >> >>
> >>
> >> >> Ah so if I create my network offering via the API then I can achieve
> >>
> >> >> what I want?
> >>
> >> >>
> >>
> >> >> If that's so, good enough :) I am more than happy to do API calls.
> >>
> >> >>
> >>
> >> >> /me goes to RTFM
> >>
> >> >>
> >>
> >> >> On Thu, May 24, 2012 at 3:30 PM, Will Chan <will.chan@citrix.com
> >> <mailto:will.chan@citrix.com>> wrote:
> >>
> >> >>
> >>
> >> >>> Since 3.0.x, that feature was turned off from the default UI and
> >>
> >> >>> expect everyone to use the firewall feature.  The API still honors
> >>
> >> >>> the old functionality so you can always custom change the UI to
> >>
> >> >>> reflect the same behavior in 2.2.x.
> >>
> >> >>>
> >>
> >> >>> Will
> >>
> >> >>>
> >>
> >> >>> -----Original Message-----
> >>
> >> >>> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
> >> scr512@gmail.com]>
> >>
> >> >>> Sent: Thursday, May 24, 2012 12:28 PM
> >>
> >> >>> To: cloudstack-users@incubator.apache.org<mailto:
> >> cloudstack-users@incubator.apache.org>
> >>
> >> >>> Subject: Anyway to disable the firewall functionality provided
by
> >>
> >> >>> the virtual router in 3.0.x?
> >>
> >> >>>
> >>
> >> >>> So, in 2.2.x with advanced networking you could disable the firewall
> >>
> >> >>> by setting the global setting  firewall.rule.ui.enabled to false.
I
> >>
> >> >>> am trying to replicate this functionality in my upgraded development
> >>
> >> >>> instance
> >>
> >> >>> (2.2.14->3.0.2) but this global setting no longer exists in
the UI.
> >>
> >> >>>
> >>
> >> >>> I've also tried to create a new isolated networking offering with
> >>
> >> >>> the firewall functionality disabled. However, anytime I try this
the
> >>
> >> >>> firewall setting ends up being enabled anyway.
> >>
> >> >>>
> >>
> >> >>> Thanks!
> >>
> >> >>> Jason
> >>
> >> >>>
> >>
> >> >>
> >>
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message