Re: [smartos-discuss] fwadm KVM

Mon, 29 Feb 2016 12:53:49 -0800 

Cody,

Do you know whether these commands also working on the CLI?
After validating that firewall_enable flag was set and reboot, nothing changed. 

When I run the following not all the rules are there:
*fwadm rules 49700b0b-55a8-4245-b3bf-907e098130a**
**UUID                                 ENABLED RULE**
**89862847-43cc-4b72-abbb-24758d3bf69d true FROM any TO all vms ALLOW icmp TYPE 8 CODE 0** **c762c835-bde9-4a56-bda6-9a2ddf02d086 true FROM any TO all vms ALLOW tcp PORT 22* 

yet
*fwadm list | grep `vmadm list|grep centos4|sed 's/^\(\([a-z0-9]*-\)\([a-z0-9]*-\)*\([a-z0-9]*\)\).*/\1/g'` 0c8b49f2-e2b6-4ad0-870d-f05009eff55e true FROM vm 49700b0b-55a8-4245-b3bf-907e098130ab TO any BLOCK tcp PORT 25 a612e3e1-87e9-4f88-a442-da54f1067a29 true FROM vm 49700b0b-55a8-4245-b3bf-907e098130ab TO ip XX.XXX.XX.XX BLOCK tcp PORT 25 dfc33fc9-09bf-4f87-9435-0377f7b086b5 true FROM vm 49700b0b-55a8-4245-b3bf-907e098130ab TO all vms BLOCK tcp PORT 25 
[root@90-b1-1c-00-0b-6a /usbkey]#*

But when I run the rule I think should work:

With sanity check:
*#vmadm get 49700b0b-55a8-4245-b3bf-907e098130ab|grep fire
  "firewall_enabled": true,*

Alas,
*[root@centos4 ~]# telnet ***XX.XXX.XX.XX* 25
Trying ***XX.XXX.XX.XX*...
Connected to ***XX.XXX.XX.XX*.
Escape character is '^]'.
220 ***XX.XXX.XX.XX* ESMTP Postfix
^]
telnet> Connection closed.
[root@centos4 ~]#*

So does fw* not constrain the outbound ports?



On 2/29/16 1:25 PM, Cody Mello wrote:

Hi Will,

Yes, fwadm rules will work on KVM instances as long as you're on a
platform newer than 20140314:

https://github.com/joyent/sdc-fwapi/blob/master/docs/index.md#vms

- Cody


On Mon, Feb 29, 2016 at 11:16 AM, Will Beazley
<[email protected]> wrote:

All,

Are fwadm managed fw-rules effective with KVMs? The wording sounds funny so
to restate, are the KVMs constrained by fwadm rules?

What I am trying to do is have a KVM that can be gotten to but cannot get
out save for a single route.

If the system were to be compromised it is important that it not be able to
change its firewall rules in a meaningful way.

LX-BZs are an option too if KVM isn't know to work or is known to not work.

Many Thanks,
Will







-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Reply via email to