[jira] [Commented] (CLOUDSTACK-8030) Isolated network without firewall service doesn't allow egress traffic

Tue, 09 Dec 2014 21:24:22 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14240671#comment-14240671
 ] 

ASF subversion and git services commented on CLOUDSTACK-8030:
-------------------------------------------------------------

Commit 8278d88f76ee129af75cd585b916bd6719e34e4c in cloudstack's branch 
refs/heads/4.5 from Jayapal
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8278d88 ]

CLOUDSTACK-8030: Updated router to come up egress default ALLOW

    On default iptables rules are updated to add ACCEPT egress traffic.
    If the network egress default policy is false, CS remove ACCEPT and adds 
the DROP rule which
    is egress default rule when there are no other egress rules.

    If the CS network egress default policy is true, CS won't configure any 
default rule for egress because
    router already came up to accept egress traffic. If there are already 
egress rules for network then the
    egress rules get applied on VR.

    For isolated network with out firewall service, VR default allows egress 
traffic (guestnetwork --> public network)


> Isolated network without firewall service doesn't allow egress traffic
> ----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8030
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8030
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Network Controller
>    Affects Versions: 4.5.0
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>             Fix For: 4.5.0
>
>
> An isolated network , created with an offering having DHCP, DNS, Source NAT, 
> LB (Netscaler), which doesn't use Firewall service from VR has Egress rules 
> default allow. But the iptables FW_Outbound chain doesn't have a rule to 
> allow traffic from VMs to outside networks.
> This offering will be of no use even when the Egress default is allow all. 
> Either the user should not be allowed to create an offering without firewall 
> or the iptables rule should be added to allow egress traffic.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to