Return-Path: X-Original-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 95174EA63 for ; Tue, 5 Feb 2013 23:20:32 +0000 (UTC) Received: (qmail 60473 invoked by uid 500); 5 Feb 2013 23:20:32 -0000 Delivered-To: apmail-incubator-cloudstack-users-archive@incubator.apache.org Received: (qmail 60439 invoked by uid 500); 5 Feb 2013 23:20:32 -0000 Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-users@incubator.apache.org Delivered-To: mailing list cloudstack-users@incubator.apache.org Received: (qmail 60428 invoked by uid 99); 5 Feb 2013 23:20:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Feb 2013 23:20:32 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aemneina@gmail.com designates 209.85.210.176 as permitted sender) Received: from [209.85.210.176] (HELO mail-ia0-f176.google.com) (209.85.210.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Feb 2013 23:20:24 +0000 Received: by mail-ia0-f176.google.com with SMTP id i18so800002iac.7 for ; Tue, 05 Feb 2013 15:20:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:reply-to:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=0ieXiFR4TEOY8XZEeJGDcOpZNLOMd6LjMbZdo6XpwNo=; b=CZXx018aILlRueUizD0YXit/Sa20TZVXZKTDmZ/wOjVgd75huR6Babdd2zX6f0yN1g H5/LAc3VufMcJeTWPfJ3aWZNBZbkUAvPPg75gTVeI+WK3lMGm8B+XttlEBARM2TPaV6S 6kDs+IQXVfqB5HH3TCYRBToVadCcP8c/MHDBEvrNr09sbiwX/6hWU8yDBiGv7D4CTnwl 9Rn7KqiX7cfgcjKgcdA4FWA26rdzW9tL4t4f66gxe6w4WNmwPRanSbFuKydKRsZV3vyd rsslaMN80FKIkm57aQKrqqgublz7LBDzO0RtAC8+mmLUOzsgcZNCldSUjxDWQxGeNv5o GsFA== X-Received: by 10.42.67.10 with SMTP id r10mr25269365ici.7.1360106403890; Tue, 05 Feb 2013 15:20:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.34.48 with HTTP; Tue, 5 Feb 2013 15:19:43 -0800 (PST) Reply-To: aemneina@gmail.com In-Reply-To: <1858EF93-245F-46B8-BA0F-D6599268FB15@nickwales.co.uk> References: <1858EF93-245F-46B8-BA0F-D6599268FB15@nickwales.co.uk> From: Ahmad Emneina Date: Tue, 5 Feb 2013 15:19:43 -0800 Message-ID: Subject: Re: Problematic firewall rules for basic zone with no security groups To: cloudstack-users@incubator.apache.org Content-Type: multipart/alternative; boundary=20cf3030bd290f862904d50273d1 X-Virus-Checked: Checked by ClamAV on apache.org --20cf3030bd290f862904d50273d1 Content-Type: text/plain; charset=ISO-8859-1 looks like a bug where egress is blocked. i believe you need to raise a ticket for this. On Tue, Feb 5, 2013 at 3:18 PM, Nick Wales wrote: > I am running CS 4.0.0 running KVM. I have a basic zone with a network > offering providing DHCP and USERDATA only. > > When I create a new instance I get the following iptables rules: > > Chain i-2-18-VM (1 references) > target prot opt source destination > DROP all -- anywhere anywhere > > Chain i-2-18-VM-eg (1 references) > target prot opt source destination > > Chain i-2-18-def (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT udp -- anywhere anywhere PHYSDEV match > --physdev-in vnet13 --physdev-is-bridged udp spt:bootpc dpt:bootps > ACCEPT udp -- anywhere anywhere PHYSDEV match > --physdev-out vnet13 --physdev-is-bridged udp spt:bootps dpt:bootpc > RETURN udp -- 10.28.175.130 anywhere PHYSDEV match > --physdev-in vnet13 --physdev-is-bridged udp dpt:domain > i-2-18-VM-eg all -- 10.28.175.130 anywhere PHYSDEV > match --physdev-in vnet13 --physdev-is-bridged > i-2-18-VM all -- anywhere anywhere PHYSDEV match > --physdev-out vnet13 --physdev-is-bridged > > I can't ping or ssh to the guest until I remove the DROP line. I obviously > want to avoid this step every time I spin up a new instance and I can't add > rules to the default security group as I don't have one. I want completely > unrestricted access to these guests from first boot and I was under the > impression not having security groups would provide this. Please confirm if > this is the case! > > I have also changed and changed back the global setting: > "network.securitygroups.defaultadding" to false but that had seemingly no > impact. > > > In other news I also got the following rules added initially, which stop > things like console services from working. "public" is the bridge name so I > presume that is > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > BF-public all -- anywhere anywhere PHYSDEV match > --physdev-is-bridged > BF-public all -- anywhere anywhere PHYSDEV match > --physdev-is-bridged > DROP all -- anywhere anywhere > DROP all -- anywhere anywhere > > If I comment out the following in the configuration file then everything > works. > -a FORWARD -o public -j DROP > -a FORWARD -i public -j DROP > > I'd like to remove this manual step if at all possible though. > > Any help much appreciated. --20cf3030bd290f862904d50273d1--