[jira] [Commented] (CLOUDSTACK-2220) SRX - By default, egress traffic is NOT BLOCKED from guest network to public network

[angeline shen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645880#comment-13645880
 ] 

angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------

MS      ACS  4.2
Host    XS  6.0.2              
SRX


1.  Cleanup up SRX device by executing following commands before adding it to 
MS  advance zone:

 

root@cloud-srx% cli

root@cloud-srx> configure

 

delete interfaces fe-0/0/2                         

set interfaces fe-0/0/2 vlan-tagging

delete security nat static

delete security nat destination

delete security nat proxy-arp 

delete security policies from-zone untrust to-zone trust

delete security policies from-zone trust to-zone untrust
 

delete security zones security-zone trust address-book

delete security zones security-zone trust interfaces

set security zones security-zone trust interfaces fe-0/0/1.0   

delete firewall

delete access

delete applications
   

set interface fe-0/0/3 unit 1230 family inet filter input untrust             

set firewall filter untrust term return-traffic-tcp from tcp-established

set firewall filter untrust term return-traffic-tcp then accept

set firewall filter untrust term return-traffic-ping from icmp-type 0

set firewall filter untrust term return-traffic-ping from icmp-code 0

set firewall filter untrust term return-traffic-ping then accept

set firewall filter untrust term return-traffic-dns from protocol udp

set firewall filter untrust term return-traffic-dns from port 53

set firewall filter untrust term return-traffic-dns then accept

root# commit 
commit complete

[edit]
root# commit 
commit complete

2.  MS   create advance zone.   Add SRX device.  Create network offering with 
SRX device

3.  As admin, deploy VM  with SRX network with  SRX network offering - 
successful.
     Acquire public IP.  configure firewall :  CIDR 0.0.0.0/0    ports 1 to 
8090.  
                                configure PF rule:   TCP   private port 22     
public port 22 for this VM
                                NO  EGRESS RULE for this network

4. ssh to VM via above public IP. 

[ashen@localhost ~]$ ssh root@10.223.123.13
The authenticity of host '10.223.123.13 (10.223.123.13)' can't be established.
RSA key fingerprint is 5e:41:b7:1c:46:95:24:52:de:ef:bb:83:1e:40:43:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.223.123.13' (RSA) to the list of known hosts.
root@10.223.123.13's password: 
Last login: Wed Jan 25 03:19:18 2012

5.   Test result:     Bug:  From this VM   Egress IS NOT BLOCKED by default.

a.  from VM can ping www.yahoo.com

[root@z1adminsrxV1 ~]# ping www.yahoo.com
PING ds-any-fp3-real.wa1.b.yahoo.com (98.138.253.109) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=1 ttl=44 
time=829 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=2 ttl=44 
time=813 ms

--- ds-any-fp3-real.wa1.b.yahoo.com ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2335ms
rtt min/avg/max/mdev = 813.831/821.614/829.397/7.783 ms


b.  from VM can ping www.google.com

[root@z1adminsrxV1 ~]# ping www.google.com
PING www.google.com (74.125.236.208) 56(84) bytes of data.
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_seq=1 ttl=42 
time=205 ms
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_seq=2 ttl=42 
time=204 ms
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_seq=3 ttl=42 
time=205 ms
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_seq=4 ttl=42 
time=205 ms
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_seq=5 ttl=42 
time=205 ms

--- www.google.com ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5001ms
rtt min/avg/max/mdev = 204.742/205.260/205.879/0.682 ms
[root@z1adminsrxV1 ~]# 


c.  from VM can ping  other NFS servers in different subnet.

[root@z1adminsrxV1 ~]# ping 10.223.110.232
PING 10.223.110.232 (10.223.110.232) 56(84) bytes of data.
64 bytes from 10.223.110.232: icmp_seq=1 ttl=60 time=1.32 ms
64 bytes from 10.223.110.232: icmp_seq=2 ttl=60 time=0.936 ms
64 bytes from 10.223.110.232: icmp_seq=3 ttl=60 time=0.915 ms

--- 10.223.110.232 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.915/1.059/1.327/0.191 ms

d.  from VM can ssh to NFS server in different subnet.

[root@z1adminsrxV1 ~]# ssh root@10.223.110.232
root@10.223.110.232's password: 
Last login: Tue Apr 30 11:44:46 2013 from 10.223.123.62
[root@nfs2 ~]# exit
logout

e.   from VM can ssh to NFS server in different subnet :

[root@z1adminsrxV1 ~]# ssh r...@nfs1.lab.vmops.com
The authenticity of host 'nfs1.lab.vmops.com (10.223.110.231)' can't be 
established.
RSA key fingerprint is 17:6f:1e:03:36:f4:c2:49:75:aa:a5:66:81:fd:4a:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nfs1.lab.vmops.com,10.223.110.231' (RSA) to the 
list of known hosts.
r...@nfs1.lab.vmops.com's password: 
Last login: Mon Apr 29 16:58:09 2013 from yasker-devbox.citrite.net
[root@nfs1 ~]# 

                
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public 
> network 
> -------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-2220
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>         Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision: 
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
>            Reporter: angeline shen
>            Assignee: Jayapal Reddy
>            Priority: Critical
>             Fix For: 4.2.0
>
>         Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision: 
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2 
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router 
> firewall: SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX 
> portforward: SRX sourceNAT type: perzone
> 2. domain: ROOT admin
>    domain: /d1 domain admin: d1domain
>    domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs . 
>     BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d1domain repeat above steps
>    BUG:   login  any VM  via console:  able to ping  www.google.com
>   login: d2user repeat above steps 
>    BUG:   login  any VM  via console:  able to ping  www.google.com

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira