Hi, Great, looking forward to your article. If you make some code changes, please create a PR for review and testing.
-Wei On Mon, 4 Oct 2021 at 13:38, vas...@gmx.de <vas...@gmx.de> wrote: > With this level of knowledge i can say yes, works like expected. > > Overall i have to admitt, that this kind of implementation is something i > will have to get used to :-D > Untill now I have been working with the "stateless" ACL approach. Also the > "mixing" of in- and egress rule can be a bit overwhelming in one big > table-view. Also i might like to see the exicting ACL Items in the GUI. We > are often talking about an "empty" ACL - which it isn't. Something you > constantly will have to keep in mind (If i find a bit of time maybe writing > some things to the docs, at least the statefulle approach / need of an > edeggress deny all). > it "feels" somewhat like the middel between classic network ACL and and > statefull packet firewall. > Will have to keep that in mind for security architecture as well as > documentation of the whole setup i am actually building (especially when > this infrastructure might face a audit in several months). > > regards > > > Am Mo., 4. Okt. 2021 um 11:49 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com > >: > > > Hi, > > > > Good findings. Thanks for sharing. > > > > Do you think it works as what you expected? > > > > -Wei > > > > On Sat, 2 Oct 2021 at 23:41, vas...@gmx.de <vas...@gmx.de> wrote: > > > >> Thanks for this Wei, > >> thant helped me out! > >> > >> I will share my findings - maybe someone googling for some more > >> information > >> regarding the ACLs will find it useful. > >> > >> > >> - You need to set an "egress deny <port/all> destionation>" to work with > >> further "egress allow" rules. So i missunderstand the docs regarding > this > >> point. > >> - keep in mind that ACL have limitations and are not the same as an > >> firewall > >> - Referenced iptables Tables for the ACL items (and then in the separate > >> chain of the ACL-List) > >> - Egress Items are found in the "mangle" - Table > >> - Ingress Items are found in the "forward" - Table > >> > >> Another intersting thing to mention: > >> ACLs are statefull (!) - which is quiet convenient but not allways > >> default. > >> And for some applications additonal actions might be needed or > concidered > >> during Nw-planning. > >> > >> Also Egress and Ingress rules are not related with each other even if > they > >> are displayed in one List (or say that it are 2 virtual lists) > >> Example ACL-List of an tier: > >> Pos. 1 egress deny all to 0.0.0.0/0 > >> Pos. 2 ingress allow 22 from 0.0.0.0/0 > >> > >> will give you an ssh connection from 0.0.0.0/0 to the network of the > >> tier. > >> something one might want to keep in mind. > >> > >> Another thing i noticed: > >> For me to use the "drag&drop" of ACL-items was quiet a mixed back. > >> the "rule numbers" often were not consistent displayes or updated. > >> for example i had something like > >> nr 1-Item A > >> nr 2-Item B > >> nr 4-Item D > >> nr 3-Item C > >> Which can be a bit cumbersome as on the virtual router sorted the items > >> correctly in the iptable chains meaning > >> nr 1- item A > >> nr 2 - item B > >> nr 3 - item C > >> nr 4 - item D > >> > >> if you are new to this - one can spend some time to find the mistake he > >> made..... ;-) > >> > >> > >> > >> Am Sa., 2. Okt. 2021 um 15:45 Uhr schrieb Wei ZHOU < > ustcweiz...@gmail.com > >> >: > >> > >> > Hi, > >> > > >> > The network acl feature is implemented through iptables and ipset. If > >> you > >> > have related knowledge and like to investigate the issue, it would be > >> nice. > >> > > >> > Wei > >> > > >> > On Saturday, 2 October 2021, vas...@gmx.de <vas...@gmx.de> wrote: > >> > > >> >> I can do. But before raising "issues" I normally try to confirm that > my > >> >> issue is to some degree valid. As my knowledge on how and where > >> Cloudstack > >> >> is working with the configured ACLs is at the moment quiet shallow, i > >> will > >> >> need to try out some things beforehand I guess.... > >> >> > >> >> Wei ZHOU <ustcweiz...@gmail.com> schrieb am Sa., 2. Okt. 2021, > 08:50: > >> >> > >> >> > Hi, > >> >> > > >> >> > Could you create an issue on github and provide more details ? > >> >> > > >> >> > -Wei > >> >> > > >> >> > On Sat, 2 Oct 2021 at 02:31, vas...@gmx.de <vas...@gmx.de> wrote: > >> >> > > >> >> > > Hi everyone, > >> >> > > > >> >> > > i currently am looking into the ACL implemention used in VPCs. > >> >> > > > >> >> > > However i was not able to locate any of my created "egress" - > >> entries > >> >> in > >> >> > > any of the chains / tables on the router. > >> >> > > Tried several things like deny / allow egress traffic for one > >> client > >> >> or > >> >> > the > >> >> > > whole tier, but i wasn't able to locate the changes on the > router. > >> >> > > > >> >> > > Might one of you can give some where to look / locate egress > >> related > >> >> > rules > >> >> > > in iptables? > >> >> > > > >> >> > > In this context, maybe someone can give me an idea if my > >> >> understanding of > >> >> > > the documentation regarding egress ACL items is correct. > >> >> > > From the docs: > >> >> > > " ... once you add an ACL rule for outgoing traffic, then only > >> >> outgoing > >> >> > > traffic specified in this ACL rule is allowed, the rest is > >> blocked." > >> >> > > so adding an "eggress + allow" for an instance in the tier shall > >> >> result > >> >> > in > >> >> > > changeing the "default" of the whole acl to "egress + deny" for > >> the > >> >> rest > >> >> > > of the network automatically. > >> >> > > is that correct? > >> >> > > > >> >> > > Thanks in advance! > >> >> > > > >> >> > > >> >> > >> > > >> > > >
