[
https://issues.apache.org/jira/browse/CLOUDSTACK-8030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235381#comment-14235381
]
Jayapal Reddy commented on CLOUDSTACK-8030:
-------------------------------------------
On router bootup default iptables rules configured. The default rules blocks
the egress traffic.
If the network offering egress policy is true then on network creation egress
allow rule is configured on the router.
If the egress policy is false then CS will not send rule to VR on network
creation.
Egress rule service is provided by the 'Firewall provider'.
In this issue there is no firewall provider. So there is no way to configure
egress rule on the VR.
The current logic needs to changed as below.
1. The default VR iptables rules should configured to allow egress traffic.
2. On network creation if egress policy is DENY then configure rule to DROP the
traffic.
3. If network has only source nat with out firewall, VR will allow the egress
default.
> Isolated network without firewall service doesn't allow egress traffic
> ----------------------------------------------------------------------
>
> Key: CLOUDSTACK-8030
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8030
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.5.0
> Reporter: Jayapal Reddy
> Assignee: Jayapal Reddy
> Fix For: 4.5.0
>
>
> An isolated network , created with an offering having DHCP, DNS, Source NAT,
> LB (Netscaler), which doesn't use Firewall service from VR has Egress rules
> default allow. But the iptables FW_Outbound chain doesn't have a rule to
> allow traffic from VMs to outside networks.
> This offering will be of no use even when the Egress default is allow all.
> Either the user should not be allowed to create an offering without firewall
> or the iptables rule should be added to allow egress traffic.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
