I am running CS 4.0.0 running KVM. I have a basic zone with a network offering providing DHCP and USERDATA only.
When I create a new instance I get the following iptables rules: Chain i-2-18-VM (1 references) target prot opt source destination DROP all -- anywhere anywhere Chain i-2-18-VM-eg (1 references) target prot opt source destination Chain i-2-18-def (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vnet13 --physdev-is-bridged udp spt:bootpc dpt:bootps ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-out vnet13 --physdev-is-bridged udp spt:bootps dpt:bootpc RETURN udp -- 10.28.175.130 anywhere PHYSDEV match --physdev-in vnet13 --physdev-is-bridged udp dpt:domain i-2-18-VM-eg all -- 10.28.175.130 anywhere PHYSDEV match --physdev-in vnet13 --physdev-is-bridged i-2-18-VM all -- anywhere anywhere PHYSDEV match --physdev-out vnet13 --physdev-is-bridged I can't ping or ssh to the guest until I remove the DROP line. I obviously want to avoid this step every time I spin up a new instance and I can't add rules to the default security group as I don't have one. I want completely unrestricted access to these guests from first boot and I was under the impression not having security groups would provide this. Please confirm if this is the case! I have also changed and changed back the global setting: "network.securitygroups.defaultadding" to false but that had seemingly no impact. In other news I also got the following rules added initially, which stop things like console services from working. "public" is the bridge name so I presume that is Chain FORWARD (policy ACCEPT) target prot opt source destination BF-public all -- anywhere anywhere PHYSDEV match --physdev-is-bridged BF-public all -- anywhere anywhere PHYSDEV match --physdev-is-bridged DROP all -- anywhere anywhere DROP all -- anywhere anywhere If I comment out the following in the configuration file then everything works. -a FORWARD -o public -j DROP -a FORWARD -i public -j DROP I'd like to remove this manual step if at all possible though. Any help much appreciated.
