You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2013/05/16 05:55:15 UTC

[jira] [Commented] (CLOUDSTACK-2509) [Cisco VNMC]No way to block incoming traffic as ACL created with PF/Static Nat is Source is Any

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-2509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659199#comment-13659199 ] 

ASF subversion and git services commented on CLOUDSTACK-2509:
-------------------------------------------------------------

Commit 5511eb241af775efa59d4fdeb597d2b335b50739 in branch refs/heads/master from [~koushikd]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=5511eb2 ]

CLOUDSTACK-2509: [Cisco VNMC]No way to block incoming traffic as ACL created with PF/Static Nat is Source is Any
No longer creating firewall rule as part of PF/Static NAT rule creation. Now firewall rule needs to be configured separately.
Also made some changes to exception handling.

                
> [Cisco VNMC]No way to block incoming traffic as ACL created with PF/Static Nat is Source is Any 
> ------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-2509
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2509
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Devices
>    Affects Versions: 4.2.0
>            Reporter: Sailaja Mada
>            Assignee: Koushik Das
>             Fix For: 4.2.0
>
>         Attachments: ACLVNMC.png
>
>
> Setup: Advanced Networking Zone, Nexus 1000v VMWARE cluster , CISCO VNMC as PF/Static Nat/Source Nat/Firewall provider 
> Observation:
> 1. Created Network Offering with  CISCO VNMC as PF/Static Nat/Source Nat/Firewall provider 
> 2. Create Guest Network with above offering and deploy instance using this network
> 3. Configure PF rule with 22 TCP port and add above deployed VM
> 4. Access VNMC and verify the ACL's created @ policy Management dash board with this VLAN tenant. 
> Observation :
> 1.There is an ACL with Source as any Destination as the VM with specific port. 
> 2. With the current implementation of CISCO ASA firewall , we allow all the incoming traffic with the specific ports being open thru PF/Static NAT
> 3. There is no way to block incoming traffic as ACL created with PF/Static Nat is Source is Any .

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira