Hi, Vivek was absolutely right: I pulled a „history“ from both xenhosts and the part of the sysctl.conf you mentioned. Although my settings in the sysctl.conf were correct, I forgot to issue the sysctl -p /etc/sysctl.conf command.
After doing so, ingress and egress rules become active or inactive immediately. Thanks Vivek! JK Von: Vivek Kumar [mailto:vivek.ku...@indiqus.com] Gesendet: Donnerstag, 22. September 2016 09:30 An: users@cloudstack.apache.org; jeroen.ke...@keerl-it.com Betreff: Re: SecurityGroup - not working? yeah sure.. because i had the same problem and it was resolved by changing these settings in sysctl file On Thu, Sep 22, 2016 at 12:38 PM, Jeroen Keerl <mailto:jeroen.ke...@keerl-it.com> wrote: Hi Vivek, I'll check the sysctl settings again tonight, but I am quite sure I set those correctly.Everything else was done "by the book". CheersJK Von meinem Samsung Galaxy Smartphone gesendet.<div> </div><div> </div><!-- originalMessage --><div>-------- Ursprüngliche Nachricht --------</div><div>Von: Vivek Kumar <mailto:vivek.ku...@indiqus.com> </div><div>Datum: 22.09.2016 08:14 (GMT+01:00) </div><div>An: mailto:users@cloudstack.apache.org, mailto:jeroen.ke...@keerl-it.com </div><div>Betreff: Re: SecurityGroup - not working? </div><div> </div>Hello Jeroen, when you setup basic Zone in Cloudstack with Xenserver you need to change few things in your Xenserver. 1- *xe-switch-network-backend bridge* ( I hope u have already done this ). 2- And you also need to do some changes in sysctl conf file for security groups. do below changes in /etc/sysctl.conf on xenserver net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-arptables = 1 and run this command # sysctl -p /etc/sysctl.conf I hope this will work. *Vivek Kumar* Virtualization and Cloud Consultant [image: http://www.indiqus.com/images/logo.jpg] <http://www.indiqus.com/> *I*ndi*Q*us Technologies Pvt Ltd A-98, LGF, C.R.Park, New Delhi - 110019 *O* +91 11 4055 1411 | *M* +91 7503460090 http://www.indiqus.com <http://www.indiqus.com/> On Thu, Sep 22, 2016 at 1:43 AM, Jeroen Keerl <mailto:jeroen.ke...@keerl-it.com> wrote: > Hi, > > I had a few things configured on ACS – Basic Zone – Security Groups. > Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8. > Basic Networking, VMs created from template, also CentOS 6.8 > > At first (default, first VM test) I could not log in using SSH. > Then I created the appropriate ingress rule and all was ok. > Same with ICMP (Ping) for http://0.0.0.0/0 > Now I wanted to test a few things in my test environment and removed these > rules, actually expecting that neither SSH nor ping would go through > anymore. > > Unfortunately they do, so apparently rules once set are not revoked upon > deletion. > I would expect nothing to come through, if no ingress rules are set, no > matter what iptables on the VM itself does. > > Tests: > - Delete all ingress rules (ping, SSH and webmin (TCP 10000)) > - Disable iptables on VM > ⇨ Ping, ssh went through, Webmin didn’t. > - Enable iptables on VM > ⇨ Ping and ssh went through > - Insert ingress rule for webmin, iptables still enables > ⇨ Webmin times out (expected behaviour) > - Disable iptables > ⇨ Webmin works > > In the documentation you are pointed towards the “The procedure is > described in Basic Zone Configuration in the Advanced Installation Guide.” > (Managing Networks and Traffic – Enabling Security Groups) > Searched for it on the Apache Site: Not found. > Google gave me the “Advanced Installation Guide” from Citrix, Version > 3.*.* … in which you are directed to the administration guide. > Not really helpful! > > Does anybody know about this / experienced something like this before? > > > > *Jeroen Keerl* > > > *Keerl IT Services GmbH*Birkenstraße 1b . 21521 Aumühle > > +49 177 6320 317 > > http://www.keerl-it.com > mailto:i...@keerl-it.com > > Geschäftsführer. Jacobus J. Keerl > Registergericht Lubeck. HRB-Nr. 14511 > > Unsere Allgemeine Geschäftsbedingungen finden Sie hier. > <http://www.keerl-it.com/AGB.pdf> > > > -- *Vivek Kumar* Virtualization and Cloud Consultant [image: http://www.indiqus.com/images/logo.jpg] <http://www.indiqus.com/> *I*ndi*Q*us Technologies Pvt Ltd A-98, LGF, C.R.Park, New Delhi - 110019 *O* +91 11 4055 1411 | *M* +91 7503460090 http://www.indiqus.com <http://www.indiqus.com/> Jeroen Keerl Keerl IT Services GmbH Birkenstraße 1b . 21521 Aumühle +49 177 6320 317 http://www.keerl-it.com mailto:i...@keerl-it.com Geschäftsführer. Jacobus J. Keerl Registergericht Lubeck. HRB-Nr. 14511 Unsere Allgemeine Geschäftsbedingungen finden Sie hier. -- Vivek Kumar Virtualization and Cloud Consultant http://www.indiqus.com/ IndiQus Technologies Pvt Ltd A-98, LGF, C.R.Park, New Delhi - 110019 O +91 11 4055 1411 | M +91 7503460090 http://www.indiqus.com/ Jeroen Keerl Keerl IT Services GmbH Birkenstraße 1b . 21521 Aumühle +49 177 6320 317 www.keerl-it.com i...@keerl-it.com Geschäftsführer. Jacobus J. Keerl Registergericht Lubeck. HRB-Nr. 14511 Unsere Allgemeine Geschäftsbedingungen finden Sie hier.