On 09/10/12 7:24 PM, "Wido den Hollander" <w...@widodh.nl> wrote:
>On 10/09/2012 11:14 AM, Jayapal Reddy Uradi wrote: >> The egress firewall rules feature will configure the egress rules for >>guest network on VR/External firewall to ALLOW >> >> specified traffic to outside and BLOCK the remaining traffic. >> >> >> >> By default all the traffic is ALLOWED to public network. When you >>specify a egress rule only that rule specific traffic is allowed. >> >> >> >> I have created a functional spec here: >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+ru >>les+for+guest+network >> >> >> >> Please review and provide your comments. >> > >Seems great! But why assume that we will block everything when one is >rule is set? > >What if somebody wants to block specific traffic and allow the rest? >Let's say you don't want to allow IRC traffic, but do allow everything >else? > >Should there be a policy setting: ALLOW/DENY? >Good if we can make it flexible. >We have to start from either block all or allow all. >The issue is that starting from default if we put the next rule of the >same nature what does that mean ? > eg. Default allow-all, next rule allow traffic only to a subnet, what >does that mean ? The interpretation will be that we block everything now >and allow only this traffic. And then we are in same position. >I think that what is meant here is that the starting point of allowing >all or deny all should be configurable, can it create some confusion ? >-abhi >
