looks like a bug where egress is blocked. i believe you need to raise a ticket for this.
On Tue, Feb 5, 2013 at 3:18 PM, Nick Wales <n...@nickwales.co.uk> wrote: > I am running CS 4.0.0 running KVM. I have a basic zone with a network > offering providing DHCP and USERDATA only. > > When I create a new instance I get the following iptables rules: > > Chain i-2-18-VM (1 references) > target prot opt source destination > DROP all -- anywhere anywhere > > Chain i-2-18-VM-eg (1 references) > target prot opt source destination > > Chain i-2-18-def (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT udp -- anywhere anywhere PHYSDEV match > --physdev-in vnet13 --physdev-is-bridged udp spt:bootpc dpt:bootps > ACCEPT udp -- anywhere anywhere PHYSDEV match > --physdev-out vnet13 --physdev-is-bridged udp spt:bootps dpt:bootpc > RETURN udp -- 10.28.175.130 anywhere PHYSDEV match > --physdev-in vnet13 --physdev-is-bridged udp dpt:domain > i-2-18-VM-eg all -- 10.28.175.130 anywhere PHYSDEV > match --physdev-in vnet13 --physdev-is-bridged > i-2-18-VM all -- anywhere anywhere PHYSDEV match > --physdev-out vnet13 --physdev-is-bridged > > I can't ping or ssh to the guest until I remove the DROP line. I obviously > want to avoid this step every time I spin up a new instance and I can't add > rules to the default security group as I don't have one. I want completely > unrestricted access to these guests from first boot and I was under the > impression not having security groups would provide this. Please confirm if > this is the case! > > I have also changed and changed back the global setting: > "network.securitygroups.defaultadding" to false but that had seemingly no > impact. > > > In other news I also got the following rules added initially, which stop > things like console services from working. "public" is the bridge name so I > presume that is > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > BF-public all -- anywhere anywhere PHYSDEV match > --physdev-is-bridged > BF-public all -- anywhere anywhere PHYSDEV match > --physdev-is-bridged > DROP all -- anywhere anywhere > DROP all -- anywhere anywhere > > If I comment out the following in the configuration file then everything > works. > -a FORWARD -o public -j DROP > -a FORWARD -i public -j DROP > > I'd like to remove this manual step if at all possible though. > > Any help much appreciated.
