You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Logan Barfield <lb...@tqhosting.com> on 2014/12/15 23:47:44 UTC
Potential feature: Firewall comments
Currently in the UI and API it can be difficult to tell what exactly a
particular firewall rule is being used for. I know that it is currently
possible to add "tags" to firewall rules, but that seems suboptimal from an
ease-of-use standpoint.
Would it be feasible to add a "comment" or "description" field for firewall
rules in advanced zones? It could be added as an extra DB column, and
appear in the UI and listFirewallRules API call (unless it's left blank).
In theory the description/comment could also be added to the IPtables rule
on the VR.
This could probably also be applied to security groups.
Thoughts, comments?
RE: Potential feature: Firewall comments
Posted by Sanjeev Neelarapu <sa...@citrix.com>.
+1 for adding description and "Deny" option to the firewall API
-----Original Message-----
From: Logan Barfield [mailto:lbarfield@tqhosting.com]
Sent: Friday, December 19, 2014 10:00 PM
To: dev@cloudstack.apache.org
Subject: Re: Potential feature: Firewall comments
On this same note: Is there currently a way to add DROP rules to the VR firewall? I know you can add a default allow egress policy and block specific things, but that doesn't help for incoming threats.
For instance if you want to allow public access to a web server (port 80), but want to block a particular attackers IP or subnet. Right now you have to set up a second level firewall on the VM itself for this.
Would it be feasible to add a "Deny" option to the firewall API?
Thank You,
Logan Barfield
Tranquil Hosting
On Mon, Dec 15, 2014 at 11:49 PM, Jayapal Reddy Uradi < jayapalreddy.uradi@citrix.com> wrote:
>
> +1
>
> When there are large set of rules, It will be useful.
>
> Thanks,
> Jayapal
> On 16-Dec-2014, at 4:17 AM, Logan Barfield <lb...@tqhosting.com>
> wrote:
>
> > Currently in the UI and API it can be difficult to tell what exactly
> > a particular firewall rule is being used for. I know that it is
> > currently possible to add "tags" to firewall rules, but that seems
> > suboptimal from
> an
> > ease-of-use standpoint.
> >
> > Would it be feasible to add a "comment" or "description" field for
> firewall
> > rules in advanced zones? It could be added as an extra DB column,
> > and appear in the UI and listFirewallRules API call (unless it's left blank).
> > In theory the description/comment could also be added to the
> > IPtables
> rule
> > on the VR.
> >
> > This could probably also be applied to security groups.
> >
> >
> > Thoughts, comments?
>
>
Re: Potential feature: Firewall comments
Posted by Logan Barfield <lb...@tqhosting.com>.
On this same note: Is there currently a way to add DROP rules to the VR
firewall? I know you can add a default allow egress policy and block
specific things, but that doesn't help for incoming threats.
For instance if you want to allow public access to a web server (port 80),
but want to block a particular attackers IP or subnet. Right now you have
to set up a second level firewall on the VM itself for this.
Would it be feasible to add a "Deny" option to the firewall API?
Thank You,
Logan Barfield
Tranquil Hosting
On Mon, Dec 15, 2014 at 11:49 PM, Jayapal Reddy Uradi <
jayapalreddy.uradi@citrix.com> wrote:
>
> +1
>
> When there are large set of rules, It will be useful.
>
> Thanks,
> Jayapal
> On 16-Dec-2014, at 4:17 AM, Logan Barfield <lb...@tqhosting.com>
> wrote:
>
> > Currently in the UI and API it can be difficult to tell what exactly a
> > particular firewall rule is being used for. I know that it is currently
> > possible to add "tags" to firewall rules, but that seems suboptimal from
> an
> > ease-of-use standpoint.
> >
> > Would it be feasible to add a "comment" or "description" field for
> firewall
> > rules in advanced zones? It could be added as an extra DB column, and
> > appear in the UI and listFirewallRules API call (unless it's left blank).
> > In theory the description/comment could also be added to the IPtables
> rule
> > on the VR.
> >
> > This could probably also be applied to security groups.
> >
> >
> > Thoughts, comments?
>
>
Re: Potential feature: Firewall comments
Posted by Jayapal Reddy Uradi <ja...@citrix.com>.
+1
When there are large set of rules, It will be useful.
Thanks,
Jayapal
On 16-Dec-2014, at 4:17 AM, Logan Barfield <lb...@tqhosting.com> wrote:
> Currently in the UI and API it can be difficult to tell what exactly a
> particular firewall rule is being used for. I know that it is currently
> possible to add "tags" to firewall rules, but that seems suboptimal from an
> ease-of-use standpoint.
>
> Would it be feasible to add a "comment" or "description" field for firewall
> rules in advanced zones? It could be added as an extra DB column, and
> appear in the UI and listFirewallRules API call (unless it's left blank).
> In theory the description/comment could also be added to the IPtables rule
> on the VR.
>
> This could probably also be applied to security groups.
>
>
> Thoughts, comments?