Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-users@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of will.chan@citrix.com designates
 66.165.176.63 as permitted sender)
From: Will Chan <will.chan@citrix.com>
To: "cloudstack-users@incubator.apache.org"
	<cloudstack-users@incubator.apache.org>
Date: Sat, 26 May 2012 07:07:11 -0700
Subject: RE: Anyway to disable the firewall functionality provided by the
 virtual router in 3.0.x?
Thread-Topic: Anyway to disable the firewall functionality provided by the
 virtual router in 3.0.x?
Thread-Index: Ac06ur7A8G0FWZHxST+RdFlNICjC2AAjhmXE
Message-ID: 
 <61AE1E2837A06D4A8E98B796183842D40116B9186634@SJCPMAILBOX01.citrite.net>
References: 
 <6E004C34C1C59E45A35B4338808BC315011D989145C7@SJCPMAILBOX01.citrite.net>
	<CAKBkivm_UAqpOtLSsc1SEkYeqB1d2MTiVrw9GTw01TJ1jij60w@mail.gmail.com>,<CAKBkivks-NRbfdhYK1wAEEDkO7w1WBcUZPhOv+X1UNdgeN30Qg@mail.gmail.com>
In-Reply-To: 
 <CAKBkivks-NRbfdhYK1wAEEDkO7w1WBcUZPhOv+X1UNdgeN30Qg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

You want openfirewall=3Dtrue.  Or simply remove it as the default is to ope=
n it.

Will

________________________________________
From: Jason Davis [scr512@gmail.com]
Sent: Friday, May 25, 2012 2:09 PM
To: cloudstack-users@incubator.apache.org
Subject: Re: Anyway to disable the firewall functionality provided by the v=
irtual router in 3.0.x?

Hmm, I've tested this and I can confirm that in my api-log that I am
passing the openfirewall command but when testing with-in the UI, it still
doesn't seem to create the proper firewall rules for me.

On Fri, May 25, 2012 at 1:43 PM, Jason Davis <scr512@gmail.com> wrote:

> Thanks! I'll give that a go.
>
>
> On Fri, May 25, 2012 at 1:39 PM, Brian Federle <Brian.Federle@citrix.com>=
wrote:
>
>> One idea might be to modify the createURL function, which every server
>> call uses to generate a URL for the API call. openfirewall=3Dfalse could=
 be
>> passed there and will apply to all actions in the UI.
>>
>>
>>
>> createURL is in /ui/scripts/sharedFunctions.js; modify urlString to add
>> additional params:
>>
>>
>>
>> //API calls
>>
>> function createURL(apiName, options) {
>>
>>  if (!options) options =3D {};
>>
>> var urlString =3D clientApiUrl + "?" + "command=3D" + apiName
>> +"&response=3Djson&sessionkey=3D" + g_sessionKey;
>>
>>
>>
>> urlString =3D urlString + '&openfirewall=3Dfalse';
>>
>> ...
>>
>> }
>>
>>
>>
>> Hope that helps!
>>
>> ________________________________________
>>
>> From: Jason Davis [scr512@gmail.com]
>>
>> Sent: Thursday, May 24, 2012 3:01 PM
>>
>> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> Subject: Re: Anyway to disable the firewall functionality provided by th=
e
>> virtual router in 3.0.x?
>>
>>
>>
>> Any hints to where this configuration would be done :)
>>
>>
>>
>> Sent from my iPhone
>>
>>
>>
>> On May 24, 2012, at 4:32 PM, Will Chan <will.chan@citrix.com<mailto:
>> will.chan@citrix.com>> wrote:
>>
>>
>>
>> > Ok, glad you clarified it for me.  In 2.2.11+, all
>> XXXPortForwardingRule and XXXLoadBalancer API calls automatically called
>> the XXXFirewallRule API.  You could always turn that off by passing
>> openfirewall=3Dfalse in the create commands.  Subsequently, the UI had
>> supported both ways of doing this as you know already by using the
>> firewall.rule.ui setting so people did not have to deal with this split.
>>  In 3.0.x, the API remains unchanged, but the UI no longer supports this
>> and the 3.0.x UI always makes calls with openfirewall=3Dfalse.
>>
>> >
>>
>> > To achieve what you want, you  would need to tweak the UI to make API
>> calls with openfirewall=3Dtrue (or remove it since the default is true) =
and
>> change the UI to no longer show the firewall portion.  Changing the netw=
ork
>> offering turns off and on the service and if you disable the firewall fr=
om
>> the network offering, you will end up disabling the port forwarding feat=
ure
>> I believe.
>>
>> >
>>
>> > The other option is to re-introduce this back into the CloudStack.
>>
>> >
>>
>> > -----Original Message-----
>>
>> > From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> > Sent: Thursday, May 24, 2012 1:49 PM
>>
>> > To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> > Subject: Re: Anyway to disable the firewall functionality provided by
>> the virtual router in 3.0.x?
>>
>> >
>>
>> > Well, I want it to behave as it did in 2.2.14-3.0.0.
>>
>> >
>>
>> > ie: I can provide isolation through portforwarding ranges and have the
>> firewall disabled. My concern is that when I upgrade to 3.0.2 that I'll
>> have to essentially re-teach my end users how to gain remote access to
>> their VM instances.
>>
>> >
>>
>> > In the documentation and in previous builds, you could turn the
>> firewall off entirely via a global setting. This is the functionality I =
am
>> wishing to accomplish.
>>
>> >
>>
>> > No firewall, just services like portforwarding, dhcp, dns,
>> loadbalancing, source nat, static nat in my network offering.
>>
>> >
>>
>> > On Thu, May 24, 2012 at 3:45 PM, Will Chan <will.chan@citrix.com
>> <mailto:will.chan@citrix.com>> wrote:
>>
>> >
>>
>> >> Can you describe what you would like to do?  I thought for a moment
>>
>> >> you simply wanted the UI to act in the same way as in 2.2.x.
>>
>> >> However, from your response, it looks like you want to remove the
>>
>> >> firewall feature from the virtual router altogether, including all th=
e
>> port forwarding feature?
>>
>> >>
>>
>> >> Will
>>
>> >>
>>
>> >> -----Original Message-----
>>
>> >> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> >> Sent: Thursday, May 24, 2012 1:32 PM
>>
>> >> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> >> Subject: Re: Anyway to disable the firewall functionality provided by
>>
>> >> the virtual router in 3.0.x?
>>
>> >>
>>
>> >> Ah so if I create my network offering via the API then I can achieve
>>
>> >> what I want?
>>
>> >>
>>
>> >> If that's so, good enough :) I am more than happy to do API calls.
>>
>> >>
>>
>> >> /me goes to RTFM
>>
>> >>
>>
>> >> On Thu, May 24, 2012 at 3:30 PM, Will Chan <will.chan@citrix.com
>> <mailto:will.chan@citrix.com>> wrote:
>>
>> >>
>>
>> >>> Since 3.0.x, that feature was turned off from the default UI and
>>
>> >>> expect everyone to use the firewall feature.  The API still honors
>>
>> >>> the old functionality so you can always custom change the UI to
>>
>> >>> reflect the same behavior in 2.2.x.
>>
>> >>>
>>
>> >>> Will
>>
>> >>>
>>
>> >>> -----Original Message-----
>>
>> >>> From: Jason Davis [mailto:scr512@gmail.com]<mailto:[mailto:
>> scr512@gmail.com]>
>>
>> >>> Sent: Thursday, May 24, 2012 12:28 PM
>>
>> >>> To: cloudstack-users@incubator.apache.org<mailto:
>> cloudstack-users@incubator.apache.org>
>>
>> >>> Subject: Anyway to disable the firewall functionality provided by
>>
>> >>> the virtual router in 3.0.x?
>>
>> >>>
>>
>> >>> So, in 2.2.x with advanced networking you could disable the firewall
>>
>> >>> by setting the global setting  firewall.rule.ui.enabled to false. I
>>
>> >>> am trying to replicate this functionality in my upgraded development
>>
>> >>> instance
>>
>> >>> (2.2.14->3.0.2) but this global setting no longer exists in the UI.
>>
>> >>>
>>
>> >>> I've also tried to create a new isolated networking offering with
>>
>> >>> the firewall functionality disabled. However, anytime I try this the
>>
>> >>> firewall setting ends up being enabled anyway.
>>
>> >>>
>>
>> >>> Thanks!
>>
>> >>> Jason
>>
>> >>>
>>
>> >>
>>
>>
>=