[
https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645891#comment-13645891
]
angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------
SRX device:
root@% cli
root> configure
Entering configuration mode
[edit]
root# show interfaces
fe-0/0/1 {
unit 0 {
family inet {
address 10.223.52.62/26;
}
}
}
fe-0/0/2 {
vlan-tagging;
unit 2486 {
vlan-id 2486;
family inet {
filter {
input vlan-input-2486;
output vlan-output-2486;
}
address 10.0.80.1/20;
}
}
}
fe-0/0/3 {
vlan-tagging;
unit 1230 {
vlan-id 1230;
family inet {
filter {
input untrust;
}
address 10.223.123.62/26;
}
}
}
root# show firewall
filter untrust {
term return-traffic-tcp {
from {
tcp-established;
}
then accept;
}
term return-traffic-ping {
from {
icmp-type 0;
icmp-code 0;
}
then accept;
}
term return-traffic-dns {
from {
protocol udp;
port 53;
}
then accept;
}
term 10-223-123-13-1 {
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.223.123.13/32;
}
protocol tcp;
destination-port 1-8090;
}
then {
count 10-223-123-13-i;
accept;
}
}
}
filter vlan-output-2486 {
term vlan-output-2486 {
then {
count vlan-output-2486;
accept;
}
}
}
filter vlan-input-2486 {
term vlan-input-2486 {
then {
count vlan-input-2486;
accept;
}
}
}
root# show security policies
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy destnat-untrust-trust-10-0-81-119 {
match {
source-address any;
destination-address 10-0-81-119;
application tcp-22-22;
}
then {
permit;
count;
}
}
}
default-policy {
permit-all;
}
root# show security nat
source {
rule-set trust {
from zone trust;
to zone untrust;
rule i-nat {
match {
source-address 10.0.0.0/8;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool 10-0-81-119-22 {
address 10.0.81.119/32 port 22;
}
rule-set untrust {
from zone untrust;
rule destnatrule-300973196 {
match {
destination-address 10.223.123.13/32;
destination-port 22;
}
then {
destination-nat pool 10-0-81-119-22;
}
}
}
}
proxy-arp {
interface fe-0/0/3.1230 {
address {
10.223.123.13/32;
}
}
}
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public
> network
> -------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-2220
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> Reporter: angeline shen
> Assignee: Jayapal Reddy
> Priority: Critical
> Fix For: 4.2.0
>
> Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router
> firewall: SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX
> portforward: SRX sourceNAT type: perzone
> 2. domain: ROOT admin
> domain: /d1 domain admin: d1domain
> domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs .
> BUG: login any VM via console: able to ping www.google.com
> login: d1domain repeat above steps
> BUG: login any VM via console: able to ping www.google.com
> login: d2user repeat above steps
> BUG: login any VM via console: able to ping www.google.com
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
