cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmad Emneina <aemne...@gmail.com>
Subject Re: Problematic firewall rules for basic zone with no security groups
Date Tue, 05 Feb 2013 23:19:43 GMT
looks like a bug where egress is blocked. i believe you need to raise a
ticket for this.


On Tue, Feb 5, 2013 at 3:18 PM, Nick Wales <nick@nickwales.co.uk> wrote:

> I am running CS 4.0.0 running KVM. I have a basic zone with a network
> offering providing DHCP and USERDATA only.
>
> When I create a new instance I get the following iptables rules:
>
> Chain i-2-18-VM (1 references)
> target     prot opt source               destination
> DROP       all  --  anywhere             anywhere
>
> Chain i-2-18-VM-eg (1 references)
> target     prot opt source               destination
>
> Chain i-2-18-def (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV match
> --physdev-in vnet13 --physdev-is-bridged udp spt:bootpc dpt:bootps
> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV match
> --physdev-out vnet13 --physdev-is-bridged udp spt:bootps dpt:bootpc
> RETURN     udp  --  10.28.175.130        anywhere            PHYSDEV match
> --physdev-in vnet13 --physdev-is-bridged udp dpt:domain
> i-2-18-VM-eg  all  --  10.28.175.130        anywhere            PHYSDEV
> match --physdev-in vnet13 --physdev-is-bridged
> i-2-18-VM  all  --  anywhere             anywhere            PHYSDEV match
> --physdev-out vnet13 --physdev-is-bridged
>
> I can't ping or ssh to the guest until I remove the DROP line. I obviously
> want to avoid this step every time I spin up a new instance and I can't add
> rules to the default security group as I don't have one. I want completely
> unrestricted access to these guests from first boot and I was under the
> impression not having security groups would provide this. Please confirm if
> this is the case!
>
> I have also changed and changed back the global setting:
> "network.securitygroups.defaultadding"  to false but that had seemingly no
> impact.
>
>
> In other news I also got the following rules added initially, which stop
> things like console services from working. "public" is the bridge name so I
> presume that is
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> BF-public  all  --  anywhere             anywhere            PHYSDEV match
> --physdev-is-bridged
> BF-public  all  --  anywhere             anywhere            PHYSDEV match
> --physdev-is-bridged
> DROP       all  --  anywhere             anywhere
> DROP       all  --  anywhere             anywhere
>
> If I comment out the following in the configuration file then everything
> works.
> -a FORWARD -o public -j DROP
> -a FORWARD -i public -j DROP
>
> I'd like to remove this manual step if at all possible though.
>
> Any help much appreciated.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message