[
https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645907#comment-13645907
]
angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------
1. Create domain: d1 domain admin : d1domain
2. login d1domain, deploy VM with SRX network with SRX network offering -
successful.
Acquire public IP. configure firewall : CIDR 0.0.0.0/0 ports 1 to 8090.
configure PF rule: TCP private port 22 public
port 22 for this VM
NO EGRESS RULE for this network
4. ssh to VM via above public IP.
[ashen@localhost ~]$ ssh [email protected]
The authenticity of host '10.223.123.14 (10.223.123.14)' can't be established.
RSA key fingerprint is 5e:41:b7:1c:46:95:24:52:de:ef:bb:83:1e:40:43:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.223.123.14' (RSA) to the list of known hosts.
[email protected]'s password:
Last login: Tue Apr 30 19:52:34 2013
5. Test result: Bug: From this VM Egress IS NOT BLOCKED by default.
a. from VM can ping www.google.com
[root@z1d1domainsrxV21 ~]# ping www.google.com
PING www.google.com (74.125.236.212) 56(84) bytes of data.
64 bytes from maa03s17-in-f20.1e100.net (74.125.236.212): icmp_seq=1 ttl=42
time=206 ms
64 bytes from maa03s17-in-f20.1e100.net (74.125.236.212): icmp_seq=2 ttl=42
time=205 ms
64 bytes from maa03s17-in-f20.1e100.net (74.125.236.212): icmp_seq=3 ttl=42
time=204 ms
--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 204.835/205.364/206.120/0.757 ms
b. from VM can ping other servers in different network:
[root@z1d1domainsrxV21 ~]# ping nfs1.lab.vmops.com
PING nfs1.lab.vmops.com (10.223.110.231) 56(84) bytes of data.
64 bytes from 10.223.110.231: icmp_seq=1 ttl=60 time=0.797 ms
64 bytes from 10.223.110.231: icmp_seq=2 ttl=60 time=0.958 ms
--- nfs1.lab.vmops.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.797/0.877/0.958/0.085 ms
c. from VM can ssh to NFS server in different subnet :
[root@z1d1domainsrxV21 ~]# ssh [email protected]
The authenticity of host 'nfs1.lab.vmops.com (10.223.110.231)' can't be
established.
RSA key fingerprint is 17:6f:1e:03:36:f4:c2:49:75:aa:a5:66:81:fd:4a:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nfs1.lab.vmops.com,10.223.110.231' (RSA) to the
list of known hosts.
[email protected]'s password:
Last login: Tue Apr 30 12:03:28 2013 from 10.223.123.62
d. from VM can ssh to NFS server in different subnet :
[root@z1d1domainsrxV21 ~]# ssh [email protected]
The authenticity of host 'nfs2.lab.vmops.com (10.223.110.232)' can't be
established.
RSA key fingerprint is 33:eb:0e:9a:b8:d0:63:42:b7:cb:ed:f8:17:11:d1:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nfs2.lab.vmops.com,10.223.110.232' (RSA) to the
list of known hosts.
[email protected]'s password:
Last login: Tue Apr 30 12:06:10 2013 from 10.223.123.62
[root@nfs2 ~]#
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public
> network
> -------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-2220
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> Reporter: angeline shen
> Assignee: Jayapal Reddy
> Priority: Critical
> Fix For: 4.2.0
>
> Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router
> firewall: SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX
> portforward: SRX sourceNAT type: perzone
> 2. domain: ROOT admin
> domain: /d1 domain admin: d1domain
> domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs .
> BUG: login any VM via console: able to ping www.google.com
> login: d1domain repeat above steps
> BUG: login any VM via console: able to ping www.google.com
> login: d2user repeat above steps
> BUG: login any VM via console: able to ping www.google.com
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
