You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Sheng Yang (JIRA)" <ji...@apache.org> on 2013/12/05 04:01:37 UTC

[jira] [Commented] (CLOUDSTACK-5297) RemoteVPNonVPC : VPN Access is not respecting the ACL INBOUND chain rules of the Network Tiers

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839744#comment-13839744 ] 

Sheng Yang commented on CLOUDSTACK-5297:
----------------------------------------

The ACL_INBOUND rule is applied after VPN forward rule, which would allow all the VPN connections.

Working on a fix.

> RemoteVPNonVPC :  VPN Access is not respecting the ACL INBOUND chain rules of the Network Tiers
> -----------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5297
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5297
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.3.0
>            Reporter: Chandan Purushothama
>            Assignee: Sheng Yang
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> Remote VPN Access to a VPC is not respecting the ACL INBOUND chain rules of the Network Tiers in the VPC.
> Steps to Reproduce:
> 1. Deploy a VPC with a network tier in it. Deploy a VM in the network tier. Locate router/public ip for the VPC and enable Remote access vpn on it.
> 2. note preshared key
> 3. create a vpn user using addVpnUser API(using valid username and password)
> 4. from a standalone linux machine configure vpn to point to public ip address
> 5. Add a DENY ACL Rule on ALL protocols to network tier's ACL List such that it blocks ssh access to the client's network.
> 6. ssh (using putty or any other terminal client) to the vm in network tier provisioned earlier.
> I am able to successfully ssh into the VM inspite of the DROP rules in the ACL INBOUND chain



--
This message was sent by Atlassian JIRA
(v6.1#6144)