You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sheng Yang (JIRA)" <ji...@apache.org> on 2013/12/05 04:01:37 UTC
[jira] [Commented] (CLOUDSTACK-5297) RemoteVPNonVPC : VPN Access
is not respecting the ACL INBOUND chain rules of the Network Tiers
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839744#comment-13839744 ]
Sheng Yang commented on CLOUDSTACK-5297:
----------------------------------------
The ACL_INBOUND rule is applied after VPN forward rule, which would allow all the VPN connections.
Working on a fix.
> RemoteVPNonVPC : VPN Access is not respecting the ACL INBOUND chain rules of the Network Tiers
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5297
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5297
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.3.0
> Reporter: Chandan Purushothama
> Assignee: Sheng Yang
> Priority: Critical
> Fix For: 4.3.0
>
>
> Remote VPN Access to a VPC is not respecting the ACL INBOUND chain rules of the Network Tiers in the VPC.
> Steps to Reproduce:
> 1. Deploy a VPC with a network tier in it. Deploy a VM in the network tier. Locate router/public ip for the VPC and enable Remote access vpn on it.
> 2. note preshared key
> 3. create a vpn user using addVpnUser API(using valid username and password)
> 4. from a standalone linux machine configure vpn to point to public ip address
> 5. Add a DENY ACL Rule on ALL protocols to network tier's ACL List such that it blocks ssh access to the client's network.
> 6. ssh (using putty or any other terminal client) to the vm in network tier provisioned earlier.
> I am able to successfully ssh into the VM inspite of the DROP rules in the ACL INBOUND chain
--
This message was sent by Atlassian JIRA
(v6.1#6144)