Re: Egress Firewall Rules feature FS
Chiradeep, Network engineers would expect to see ALLOW and BLOCK rule flexibility, but in most cases a default DENY ALL rule is the last rule in a set (with only ALLOW rules above it). In my experience, it's usually only the more complex FW policies that use BLOCK statements to selectively undo prior ALLOW statements. This is something I've struggled with personally in the past (as a designer of FW automation). The question for us is if the flexibility is worth the complexity. IMO, you can always achieve the same results using either approach (ALLOW only above the default as DENY ALL, or BLOCK and ALLOW statements inter-mingled). My preference would be to have it though. That flexibility isn't something that a user HAS to take advantage of... but it's useful when it's needed. -chip On Sun, Oct 21, 2012 at 12:57 AM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: Jayapal, Nilesh, these are useful comments. BLOCK rules can be useful, in which case you would need ordering between BLOCK and ALLOW rules. If I were a network engineer used to using Cisco or other firewalls, what would I expect to see in this regard? On 10/15/12 1:50 AM, Jayapal Reddy Uradi jayapalreddy.ur...@citrix.com wrote: Hi Nilesh, Please fine my inline comments. Thanks, Jayapal From: Nilesh Vishwakarma Sent: Thursday, October 11, 2012 6:37 PM To: Jayapal Reddy Uradi Cc: cloudstack-dev@incubator.apache.org Subject: Egress Firewall Rules feature FS Hey, My review comments on Egress Firewall Rules feature FS: 1. Let me know whether we are using CreateFirewall API or NetworkACL to implement firewall rule - There is a discussion in community about which API to use. I will update the spec once the discussion is closed. 2. How can I block the communication with particular subnet? As in if I want to block communication ONLY with some IP range and allow the rest of the communication, would it be possible? -It is not possible. There are only rules to ALLOW. 3. Can we have BLOCK rule which can block communication with specified IP range? -We can have only ALLOW rules. The egress rules only allowed and remaining traffic is blocked. https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rul es+for+guest+network -Thanks, Nilesh
Re: Egress Firewall Rules feature FS
Jayapal, Nilesh, these are useful comments. BLOCK rules can be useful, in which case you would need ordering between BLOCK and ALLOW rules. If I were a network engineer used to using Cisco or other firewalls, what would I expect to see in this regard? On 10/15/12 1:50 AM, Jayapal Reddy Uradi jayapalreddy.ur...@citrix.com wrote: Hi Nilesh, Please fine my inline comments. Thanks, Jayapal From: Nilesh Vishwakarma Sent: Thursday, October 11, 2012 6:37 PM To: Jayapal Reddy Uradi Cc: cloudstack-dev@incubator.apache.org Subject: Egress Firewall Rules feature FS Hey, My review comments on Egress Firewall Rules feature FS: 1. Let me know whether we are using CreateFirewall API or NetworkACL to implement firewall rule - There is a discussion in community about which API to use. I will update the spec once the discussion is closed. 2. How can I block the communication with particular subnet? As in if I want to block communication ONLY with some IP range and allow the rest of the communication, would it be possible? -It is not possible. There are only rules to ALLOW. 3. Can we have BLOCK rule which can block communication with specified IP range? -We can have only ALLOW rules. The egress rules only allowed and remaining traffic is blocked. https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rul es+for+guest+network -Thanks, Nilesh
RE: Egress Firewall Rules feature FS
Hi Nilesh, Please fine my inline comments. Thanks, Jayapal From: Nilesh Vishwakarma Sent: Thursday, October 11, 2012 6:37 PM To: Jayapal Reddy Uradi Cc: cloudstack-dev@incubator.apache.org Subject: Egress Firewall Rules feature FS Hey, My review comments on Egress Firewall Rules feature FS: 1. Let me know whether we are using CreateFirewall API or NetworkACL to implement firewall rule - There is a discussion in community about which API to use. I will update the spec once the discussion is closed. 2. How can I block the communication with particular subnet? As in if I want to block communication ONLY with some IP range and allow the rest of the communication, would it be possible? -It is not possible. There are only rules to ALLOW. 3. Can we have BLOCK rule which can block communication with specified IP range? -We can have only ALLOW rules. The egress rules only allowed and remaining traffic is blocked. https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network -Thanks, Nilesh