[
https://issues.apache.org/jira/browse/CLOUDSTACK-5278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836675#comment-13836675
]
Jayapal Reddy commented on CLOUDSTACK-5278:
-------------------------------------------
1. In regard default egress policy rules as per my knowledge there is no bug
in the router. If you see any issue in functionality please file bug with
details.
By default router DROP all the egress traffic when default egress policy is
deny.
Here are the rules when you add first egress rule.
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.1.0/24 0.0.0.0/0
tcp dpt:22
2. The default egress rule should be cleaned up, In router we may not see
issue but other firewall providers it should be cleaned up.
3.The default egress policy rule/system rule is not stored in db.
You can list the rules based on the network id. you can use both network id and
rule id to configure the rules on the device.
> Egress Firewall rules clarifications
> ------------------------------------
>
> Key: CLOUDSTACK-5278
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5278
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.3.0
> Reporter: Will Stevens
> Assignee: Jayapal Reddy
> Priority: Critical
> Fix For: 4.3.0
>
>
> These issues may also exist in the 4.2 branch, but I am currently
> testing/working on the 4.3 branch.
> I believe these bugs were introduced with the change to the Network Service
> Offering to add the 'Default egress policy' dropdown.
> https://issues.apache.org/jira/browse/CLOUDSTACK-1578
> I am trying to resolve the bugs this change introduced in the Palo Alto
> plugin.
> There are two types of Egress rules (from what I can tell).
> - FirewallRule.FirewallRuleType.System : this appears to be set up by the
> system on network creation to correspond to the global network default
> allow/deny egress rule.
> - FirewallRule.FirewallRuleType.User : any rule that a user creates through
> the UI will get this type.
> There are bugs associated with both of the options in the dropdown (allow and
> deny).
> Case: 'deny'
> - When the network is setup, it does not try to create the global deny rule
> for the network, but it appears to register that it exists. Instead, when
> the first egress rule is created by a user, the system sees both the 'system'
> and 'user' rules, so it will create both rules then.
> Case: both 'allow' and 'deny'
> - The clean up of the network global 'system' egress rules are never done.
> So when a network is deleted, it will leave an orphaned egress rule
> associated with the previous network's cidr. This is bound to cause many
> issues.
> - Even worse, it appears that the ID for the network global 'system' egress
> rule is hardcoded to '0'. Every time I try to spin up a new network it will
> attempt to create a rule with a '0' ID, but since one already exists with
> that ID, there is a config collision. In my case (Palo Alto), the second
> rule with the same ID gets ignored because it checks to see if the rule
> exists and it gets a 'yes' back because the previous network has an egress
> rule with that ID already.
> Let me know if you have additional questions...
--
This message was sent by Atlassian JIRA
(v6.1#6144)
