Chiradeep, Network engineers would expect to see ALLOW and BLOCK rule flexibility, but in most cases a default DENY ALL rule is the last rule in a set (with only ALLOW rules above it). In my experience, it's usually only the more complex FW policies that use BLOCK statements to selectively undo prior ALLOW statements.
This is something I've struggled with personally in the past (as a designer of FW automation). The question for us is if the flexibility is worth the complexity. IMO, you can always achieve the same results using either approach (ALLOW only above the default as DENY ALL, or BLOCK and ALLOW statements inter-mingled). My preference would be to have it though. That flexibility isn't something that a user HAS to take advantage of... but it's useful when it's needed. -chip On Sun, Oct 21, 2012 at 12:57 AM, Chiradeep Vittal <chiradeep.vit...@citrix.com> wrote: > Jayapal, Nilesh, these are useful comments. > BLOCK rules can be useful, in which case you would need ordering between > BLOCK and ALLOW rules. > If I were a network engineer used to using Cisco or other firewalls, what > would I expect to see in this regard? > > On 10/15/12 1:50 AM, "Jayapal Reddy Uradi" <jayapalreddy.ur...@citrix.com> > wrote: > >>Hi Nilesh, >> >>Please fine my inline comments. >> >>Thanks, >>Jayapal >> >>From: Nilesh Vishwakarma >>Sent: Thursday, October 11, 2012 6:37 PM >>To: Jayapal Reddy Uradi >>Cc: cloudstack-dev@incubator.apache.org >>Subject: "Egress Firewall Rules" feature FS >> >>Hey, >> >>My review comments on "Egress Firewall Rules" feature FS: >> >>1. Let me know whether we are using CreateFirewall API or NetworkACL to >>implement firewall rule >>- There is a discussion in community about which API to use. I will >>update the spec once the discussion is closed. >>2. How can I block the communication with particular subnet? As in if I >>want to block communication ONLY with some IP range and allow the rest of >>the communication, would it be possible? >>-It is not possible. There are only rules to ALLOW. >>3. Can we have BLOCK rule which can block communication with specified IP >>range? >>-We can have only ALLOW rules. The egress rules only allowed and >>remaining traffic is blocked. >> >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rul >>es+for+guest+network >> >>-Thanks, >>Nilesh > >
