incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <>
Subject Re: "Egress Firewall Rules" feature FS
Date Mon, 22 Oct 2012 13:05:13 GMT

Network engineers would expect to see ALLOW and BLOCK rule
flexibility, but in most cases a default DENY ALL rule is the last
rule in a set (with only ALLOW rules above it).  In my experience,
it's usually only the more complex FW policies that use BLOCK
statements to selectively undo prior ALLOW statements.

This is something I've struggled with personally in the past (as a
designer of FW automation).  The question for us is if the flexibility
is worth the complexity.  IMO, you can always achieve the same results
using either approach (ALLOW only above the default as DENY ALL, or
BLOCK and ALLOW statements inter-mingled).

My preference would be to have it though.  That flexibility isn't
something that a user HAS to take advantage of...  but it's useful
when it's needed.


On Sun, Oct 21, 2012 at 12:57 AM, Chiradeep Vittal
<> wrote:
> Jayapal, Nilesh, these are useful comments.
> BLOCK rules can be useful, in which case you would need ordering between
> BLOCK and ALLOW rules.
> If I were a network engineer used to using  Cisco or other firewalls, what
> would I expect to see in this regard?
> On 10/15/12 1:50 AM, "Jayapal Reddy Uradi" <>
> wrote:
>>Hi Nilesh,
>>Please fine my inline comments.
>>From: Nilesh Vishwakarma
>>Sent: Thursday, October 11, 2012 6:37 PM
>>To: Jayapal Reddy Uradi
>>Subject: "Egress Firewall Rules" feature FS
>>My review comments on "Egress Firewall Rules" feature FS:
>>1. Let me know whether we are using CreateFirewall API or NetworkACL to
>>implement firewall rule
>>-   There is a discussion in community about which  API to use. I will
>>update the spec once the discussion is closed.
>>2. How can I block the communication with particular subnet? As in if I
>>want to block communication ONLY with some IP range and allow the rest of
>>the communication, would it be possible?
>>-It is not possible. There are only rules to ALLOW.
>>3. Can we have BLOCK rule which can block communication with specified IP
>>-We can have only ALLOW rules. The egress rules only allowed and
>>remaining traffic is blocked.

View raw message