On 2/9/21 10:22 AM, Hean Seng wrote:
> but if user able to login to Cloudstack, they can edit the security gorup
> themself right ?
>
Indeed. So you could then create a new Role where that users can't
execute the 'egress' commands of the Security Groups.
> I am thinking there is some rules that always highest prioity not
> editable by user. or may only editable by admin
>
Chaining security groups has been a long outstanding wish of a lot of
people, but that's not very easy to implement.
> Mainly worry for this is spammer
>
Understood. Maybe you can arrange something for port 25 outbound on
network level? ACLs on the routers which actually route the traffic to
the internet.
Wido
>
>
> On Tue, Feb 9, 2021 at 3:49 PM Wido den Hollander <w...@widodh.nl> wrote:
>
>>
>>
>> On 2/8/21 9:14 AM, Hean Seng wrote:
>>> Hi
>>>
>>> Is that possible to have default block rules for all the VM, Default
>> Block
>>> SMTP outbound port in iptables
>>>
>>
>> We did this by changing the security groups. Egress we only allow:
>>
>> - TCP 21 and 22
>> - TCP 26-65534
>>
>> This way VMs can connect to port 25 outbound and thus not send e-mail.
>>
>> Wido
>>
>>>
>>> Thank you
>>>
>>
>
>
