With this level of knowledge i can say yes, works like expected. Overall i have to admitt, that this kind of implementation is something i will have to get used to :-D Untill now I have been working with the "stateless" ACL approach. Also the "mixing" of in- and egress rule can be a bit overwhelming in one big table-view. Also i might like to see the exicting ACL Items in the GUI. We are often talking about an "empty" ACL - which it isn't. Something you constantly will have to keep in mind (If i find a bit of time maybe writing some things to the docs, at least the statefulle approach / need of an edeggress deny all). it "feels" somewhat like the middel between classic network ACL and and statefull packet firewall. Will have to keep that in mind for security architecture as well as documentation of the whole setup i am actually building (especially when this infrastructure might face a audit in several months).
regards Am Mo., 4. Okt. 2021 um 11:49 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com>: > Hi, > > Good findings. Thanks for sharing. > > Do you think it works as what you expected? > > -Wei > > On Sat, 2 Oct 2021 at 23:41, vas...@gmx.de <vas...@gmx.de> wrote: > >> Thanks for this Wei, >> thant helped me out! >> >> I will share my findings - maybe someone googling for some more >> information >> regarding the ACLs will find it useful. >> >> >> - You need to set an "egress deny <port/all> destionation>" to work with >> further "egress allow" rules. So i missunderstand the docs regarding this >> point. >> - keep in mind that ACL have limitations and are not the same as an >> firewall >> - Referenced iptables Tables for the ACL items (and then in the separate >> chain of the ACL-List) >> - Egress Items are found in the "mangle" - Table >> - Ingress Items are found in the "forward" - Table >> >> Another intersting thing to mention: >> ACLs are statefull (!) - which is quiet convenient but not allways >> default. >> And for some applications additonal actions might be needed or concidered >> during Nw-planning. >> >> Also Egress and Ingress rules are not related with each other even if they >> are displayed in one List (or say that it are 2 virtual lists) >> Example ACL-List of an tier: >> Pos. 1 egress deny all to 0.0.0.0/0 >> Pos. 2 ingress allow 22 from 0.0.0.0/0 >> >> will give you an ssh connection from 0.0.0.0/0 to the network of the >> tier. >> something one might want to keep in mind. >> >> Another thing i noticed: >> For me to use the "drag&drop" of ACL-items was quiet a mixed back. >> the "rule numbers" often were not consistent displayes or updated. >> for example i had something like >> nr 1-Item A >> nr 2-Item B >> nr 4-Item D >> nr 3-Item C >> Which can be a bit cumbersome as on the virtual router sorted the items >> correctly in the iptable chains meaning >> nr 1- item A >> nr 2 - item B >> nr 3 - item C >> nr 4 - item D >> >> if you are new to this - one can spend some time to find the mistake he >> made..... ;-) >> >> >> >> Am Sa., 2. Okt. 2021 um 15:45 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com >> >: >> >> > Hi, >> > >> > The network acl feature is implemented through iptables and ipset. If >> you >> > have related knowledge and like to investigate the issue, it would be >> nice. >> > >> > Wei >> > >> > On Saturday, 2 October 2021, vas...@gmx.de <vas...@gmx.de> wrote: >> > >> >> I can do. But before raising "issues" I normally try to confirm that my >> >> issue is to some degree valid. As my knowledge on how and where >> Cloudstack >> >> is working with the configured ACLs is at the moment quiet shallow, i >> will >> >> need to try out some things beforehand I guess.... >> >> >> >> Wei ZHOU <ustcweiz...@gmail.com> schrieb am Sa., 2. Okt. 2021, 08:50: >> >> >> >> > Hi, >> >> > >> >> > Could you create an issue on github and provide more details ? >> >> > >> >> > -Wei >> >> > >> >> > On Sat, 2 Oct 2021 at 02:31, vas...@gmx.de <vas...@gmx.de> wrote: >> >> > >> >> > > Hi everyone, >> >> > > >> >> > > i currently am looking into the ACL implemention used in VPCs. >> >> > > >> >> > > However i was not able to locate any of my created "egress" - >> entries >> >> in >> >> > > any of the chains / tables on the router. >> >> > > Tried several things like deny / allow egress traffic for one >> client >> >> or >> >> > the >> >> > > whole tier, but i wasn't able to locate the changes on the router. >> >> > > >> >> > > Might one of you can give some where to look / locate egress >> related >> >> > rules >> >> > > in iptables? >> >> > > >> >> > > In this context, maybe someone can give me an idea if my >> >> understanding of >> >> > > the documentation regarding egress ACL items is correct. >> >> > > From the docs: >> >> > > " ... once you add an ACL rule for outgoing traffic, then only >> >> outgoing >> >> > > traffic specified in this ACL rule is allowed, the rest is >> blocked." >> >> > > so adding an "eggress + allow" for an instance in the tier shall >> >> result >> >> > in >> >> > > changeing the "default" of the whole acl to "egress + deny" for >> the >> >> rest >> >> > > of the network automatically. >> >> > > is that correct? >> >> > > >> >> > > Thanks in advance! >> >> > > >> >> > >> >> >> > >> >
