It is workaround-able by adding the 9999 rule. I just wrote the rule wrong :(

However, no rule should be required, according to the documentation... which is 
dangerous.

I have created the issue here: https://github.com/apache/cloudstack/issues/4402

I did look at the iptables of the VR, but I don't fully understand it. The 3rd 
forward rule seems to allow everything out, and there are no egress rules 
before that one, the other two are "STATS" chains, which I suspect stands for 
statistics.

I found outbound rules in the mangle table, which I have never used before... I 
need to get familiar with it. But even so, I don't fully identify my ACLs in 
here, I think iptables is not showing it all.

Do you know where can I find information about how this VR is implemented? 

Regards,
Rafael

On Tue, 2020-10-13 11:59 AM, Thomas Joseph <thomas.jo...@gmail.com> wrote:
> Have you logged on to the related virtual router and checked if the
> declared firewall rules are visible?
> 
> With regards
> Thomas Joseph
> 
> On Tue, 13 Oct 2020, 10:53 am Rafael del Valle, " 
> target="_blank"><rva...@livelens.net.invalid>
> wrote:
> 
> > arrrgh...
> >
> > Not even the 9999 rule helps once I deploy all my tiers and rules.
> >
> > Egress just seems broken on VPC in 4.14.
> >
> > Anybody successfully using Egress/VPC in 4.14?
> >
> >
> > On Tue, 2020-10-13 09:37 AM, rva...@privaz.io.INVALID wrote:
> > > Hi Rene,
> > >
> > > I know what you mean now: the "By default, all incoming traffic to
> > > the guest networks is blocked and all outgoing traffic from guest
> > > networks is allowed, once you add an ACL rule for outgoing traffic, then
> > > only outgoing traffic specified in this ACL rule is allowed, the rest is
> > > blocked."
> > >
> > > This is how I remembered it.
> > >
> > > However, It looks like the last bit (once you add an ACL rule for
> > outgoing traffic...) seems to be implemented in isolated networks but not
> > in VPC tiers.
> > >
> > > I managed to achieve the desired behaviour by adding a:
> > >
> > > 9999 0.0.0.0/0 Egreess Deny ALL ALL
> > >
> > > Rule to my ACLs in VPC tiers, even thou there is already another Egress
> > rule present.
> > >
> > >  However the Isolated networks that I have do not need it, as they do
> > honour the previous specification.
> > >
> > > I am going to create an issue and see if the team can reproduce this
> > behaviour.
> > >
> > > Regards,
> > > Rafael
> > >
> > > On Mon, 2020-10-12 05:53 PM, Rene Moser " target="_blank"><
> > " target="_blank">m...@renemoser.net> wrote:
> > > >
> > > On 12.10.20 17:30, rva...@privaz.io.INVALID wrote:
> > > > > Am I missing something?
> > > >
> > > >
> > > > It's been a while but I remember the default egress rule is "allow
> > from
> > > > all".
> > > >
> > > >
> > https://docs.cloudstack.apache.org/en/4.14.0.0/adminguide/networking/virtual_private_cloud_config.html?#about-network-acl-lists
> > > >
> > > > The doc however seems to be inconsistent, the table says "Deny all"
> > for
> > > > outgoing. I guess this is a typo in the table there.
> > > >
> > > > Regards
> > > > René
> > > >
> > > >
> > > >
> > >
> 

Reply via email to