[
https://issues.apache.org/jira/browse/CLOUDSTACK-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13647903#comment-13647903
]
angeline shen commented on CLOUDSTACK-2220:
-------------------------------------------
1. I see you inactivated default-policy. So from MS UI, all VMs blocked from
EGRESS. OK. This works
2. However, from MS UI, network adminsrx, I added following Egress rules:
CIDR protocol port
0.0.0.0/0 TCP 1 - 8090
0.0.0.0/0 ICMP -1 -1
>From all VMs, STILL unable to ping or ssh to outside world
SRX security policies settings:
root# show security policies
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy destnat-untrust-trust-10-0-81-119 {
match {
source-address any;
destination-address 10-0-81-119;
application tcp-22-22;
}
then {
permit;
count;
}
}
policy destnat-untrust-trust-10-0-145-162 {
match {
source-address any;
destination-address 10-0-145-162;
application tcp-22-22;
}
then {
permit;
count;
}
}
policy destnat-untrust-trust-10-0-92-19 {
match {
source-address any;
destination-address 10-0-92-19;
application tcp-22-22;
}
then {
permit;
count;
}
}
}
from-zone trust to-zone untrust {
policy egress-trust-untrust-2486 {
match {
source-address 0-0-0-0-0;
destination-address any;
application [ egress-tcp-1-8090 egress-icmp-255-255 ];
}
then {
permit;
count;
}
}
}
default-policy {
inactive: permit-all;
}
[edit]
root# root# show security nat
source {
rule-set trust {
from zone trust;
to zone untrust;
rule i-nat {
match {
source-address 10.0.0.0/8;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool 10-0-81-119-22 {
address 10.0.81.119/32 port 22;
}
pool 10-0-145-162-22 {
address 10.0.145.162/32 port 22;
}
pool 10-0-92-19-22 {
address 10.0.92.19/32 port 22;
}
rule-set untrust {
from zone untrust;
rule destnatrule-300973196 {
match {
destination-address 10.223.123.13/32;
destination-port 22;
}
then {
destination-nat pool 10-0-81-119-22;
}
}
rule destnatrule-1560619096 {
match {
destination-address 10.223.123.14/32;
destination-port 22;
}
then {
destination-nat pool 10-0-145-162-22;
}
}
rule destnatrule-1229587959 {
match {
destination-address 10.223.123.11/32;
destination-port 22;
}
then {
destination-nat pool 10-0-92-19-22;
}
}
}
}
proxy-arp {
interface fe-0/0/3.1230 {
address {
10.223.123.13/32;
10.223.123.14/32;
10.223.123.11/32;
}
}
}
[edit]
root#
> SRX - By default, egress traffic is NOT BLOCKED from guest network to public
> network
> -------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-2220
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2220
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Environment: MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> Reporter: angeline shen
> Assignee: Jayapal Reddy
> Priority: Critical
> Fix For: 4.2.0
>
> Attachments: management-server.log.gz
>
>
> MS ACS 4.2 build 4/24/13 7:48 PM revision:
> 299cccf779f75c3ba04d9ec7303bed88394c3562
> host XS 6.0.2
> 1. SRX network offering : isolated DHCP: virtual router DNS: virtual router
> firewall: SRX userdata:virtual router sourceNAT: SRX staticNAT: SRX
> portforward: SRX sourceNAT type: perzone
> 2. domain: ROOT admin
> domain: /d1 domain admin: d1domain
> domain: /d2 user: d2user
> 3. login: admin create VMs, allocate public IPs .
> BUG: login any VM via console: able to ping www.google.com
> login: d1domain repeat above steps
> BUG: login any VM via console: able to ping www.google.com
> login: d2user repeat above steps
> BUG: login any VM via console: able to ping www.google.com
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
