Can you run the following: # ipfstat -nio -G 49700b0b-55a8-4245-b3bf-907e098130a
That'll show us what ipfilter rules are being installed. - Cody On Mon, Feb 29, 2016 at 12:52 PM, Will Beazley <[email protected]> wrote: > Cody, > > Do you know whether these commands also working on the CLI? > > After validating that firewall_enable flag was set and reboot, nothing > changed. > > When I run the following not all the rules are there: > fwadm rules 49700b0b-55a8-4245-b3bf-907e098130a > UUID ENABLED RULE > 89862847-43cc-4b72-abbb-24758d3bf69d true FROM any TO all vms ALLOW icmp > TYPE 8 CODE 0 > c762c835-bde9-4a56-bda6-9a2ddf02d086 true FROM any TO all vms ALLOW tcp > PORT 22 > > yet > fwadm list | grep `vmadm list|grep centos4|sed > 's/^\(\([a-z0-9]*-\)\([a-z0-9]*-\)*\([a-z0-9]*\)\).*/\1/g'` > 0c8b49f2-e2b6-4ad0-870d-f05009eff55e true FROM vm > 49700b0b-55a8-4245-b3bf-907e098130ab TO any BLOCK tcp PORT 25 > a612e3e1-87e9-4f88-a442-da54f1067a29 true FROM vm > 49700b0b-55a8-4245-b3bf-907e098130ab TO ip XX.XXX.XX.XX BLOCK tcp PORT 25 > dfc33fc9-09bf-4f87-9435-0377f7b086b5 true FROM vm > 49700b0b-55a8-4245-b3bf-907e098130ab TO all vms BLOCK tcp PORT 25 > [root@90-b1-1c-00-0b-6a /usbkey]# > > But when I run the rule I think should work: > > With sanity check: > #vmadm get 49700b0b-55a8-4245-b3bf-907e098130ab|grep fire > "firewall_enabled": true, > > Alas, > [root@centos4 ~]# telnet XX.XXX.XX.XX 25 > Trying XX.XXX.XX.XX... > Connected to XX.XXX.XX.XX. > Escape character is '^]'. > 220 XX.XXX.XX.XX ESMTP Postfix > ^] > telnet> Connection closed. > [root@centos4 ~]# > > So does fw* not constrain the outbound ports? > > > > On 2/29/16 1:25 PM, Cody Mello wrote: > > Hi Will, > > Yes, fwadm rules will work on KVM instances as long as you're on a > platform newer than 20140314: > > https://github.com/joyent/sdc-fwapi/blob/master/docs/index.md#vms > > - Cody > > > On Mon, Feb 29, 2016 at 11:16 AM, Will Beazley > <[email protected]> wrote: > > All, > > Are fwadm managed fw-rules effective with KVMs? The wording sounds funny so > to restate, are the KVMs constrained by fwadm rules? > > What I am trying to do is have a KVM that can be gotten to but cannot get > out save for a single route. > > If the system were to be compromised it is important that it not be able to > change its firewall rules in a meaningful way. > > LX-BZs are an option too if KVM isn't know to work or is known to not work. > > Many Thanks, > Will > > http://www.listbox.com > > > smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
