You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Kishan Kavala (JIRA)" <ji...@apache.org> on 2013/07/02 13:12:21 UTC

[jira] [Resolved] (CLOUDSTACK-3129) NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-3129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kishan Kavala resolved CLOUDSTACK-3129.
---------------------------------------

    Resolution: Fixed

Default behavior is not changed from 4.1.

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Inter-VLAN+Routing

"By default, all incoming traffic to guest networks is blocked. To open the ports, new network ACL has to be created. Network ACLs can be created for the Guest networks only when NetworkACL service is supported.

all outgoing traffic from guest networks is allowed, once you add an ACL rule for outgoing traffic, then only outgoing traffic specified in this ACL rule is allowed, the rest is blocked"

I've updated spec https://cwiki.apache.org/confluence/display/CLOUDSTACK/Support+ACL+deny+rules to reflect the above behavior.
                
> NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3129
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Assignee: Kishan Kavala
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> ======================
> On The VPC Virtual Router:
> ======================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> ========================
> Network Information of eth3 NIC:
> ========================
> mysql> select * from networks where id=208 \G
> *************************** 1. row ***************************
>                    id: 208
>                  name: Atoms-VPC-Net-2
>                  uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
>          display_text: Atoms-VPC-Net-2
>          traffic_type: Guest
> broadcast_domain_type: Vlan
>         broadcast_uri: vlan://2580
>               gateway: 192.168.11.1
>                  cidr: 192.168.11.0/24
>                  mode: Dhcp
>   network_offering_id: 12
>   physical_network_id: 200
>        data_center_id: 1
>             guru_name: ExternalGuestNetworkGuru
>                 state: Implemented
>               related: 208
>             domain_id: 1
>            account_id: 3
>                  dns1: NULL
>                  dns2: NULL
>             guru_data: NULL
>            set_fields: 0
>              acl_type: Account
>        network_domain: atomsvpcnet1.lab.vmops.com
>        reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
>            guest_type: Isolated
>      restart_required: 0
>               created: 2013-06-21 21:24:45
>               removed: NULL
>     specify_ip_ranges: 0
>                vpc_id: 1
>           ip6_gateway: NULL
>              ip6_cidr: NULL
>          network_cidr: NULL
>       display_network: 1
>        network_acl_id: NULL
> 1 row in set (0.00 sec)
> mysql>
> ==============================================================
> As per the FS at https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
> ==============================================================
> ACL Deny Rules
> Currently only ACL allow rules are supported as part of Network ACLs. Default is to block all incoming and all outgoing traffic between tiers and between tiers and various gateways (including Public).  ACL deny rules will be supported through this feature. New fields "number"  and "action"will be added to rules to resolve conflicting rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira