Jayapal, Nilesh, these are useful comments. BLOCK rules can be useful, in which case you would need ordering between BLOCK and ALLOW rules. If I were a network engineer used to using Cisco or other firewalls, what would I expect to see in this regard?
On 10/15/12 1:50 AM, "Jayapal Reddy Uradi" <jayapalreddy.ur...@citrix.com> wrote: >Hi Nilesh, > >Please fine my inline comments. > >Thanks, >Jayapal > >From: Nilesh Vishwakarma >Sent: Thursday, October 11, 2012 6:37 PM >To: Jayapal Reddy Uradi >Cc: cloudstack-dev@incubator.apache.org >Subject: "Egress Firewall Rules" feature FS > >Hey, > >My review comments on "Egress Firewall Rules" feature FS: > >1. Let me know whether we are using CreateFirewall API or NetworkACL to >implement firewall rule >- There is a discussion in community about which API to use. I will >update the spec once the discussion is closed. >2. How can I block the communication with particular subnet? As in if I >want to block communication ONLY with some IP range and allow the rest of >the communication, would it be possible? >-It is not possible. There are only rules to ALLOW. >3. Can we have BLOCK rule which can block communication with specified IP >range? >-We can have only ALLOW rules. The egress rules only allowed and >remaining traffic is blocked. > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rul >es+for+guest+network > >-Thanks, >Nilesh
