Jayapal, I reviewed the spec. My comments: If firewall rules per public IP address can't be configured on the SRX, and there is no way to fix it (your spec says so in "Limitation" section), why do we introduce all this complexity? To me it seems like we are trying to show the user that he is controlling public ports on SRX, while in fact it's not true. It should work just like it used to work before: the Ingress traffic flow from public to guest interfaces should be controlled by PF/StaticNat/LB rule; Ingress traffic to public ip address is allowed always. When there is no PF/LB/StaticNat rule for the Guest network port, the traffic to Guest port is blocked. Once you create PF rule for publicIp + guestIp, the access to the specific port of the Guest network is opened automatically. The example below (taken from the spec):
Example: 1. Acquire IP P1. 2. Create Firewall for port 22 - port 22. 3. Configure the port forwarding for Public IP P1, user VM V1 4. Acquire another IP P2. 5. Enable staticNAT on P2 for VM V1 7. Now P1 and P2 both can access the VM port 22 - /// you haven't created the Firewall rule for the P2, yet the access from it is enabled implicitly to 22:22 port. It's very confusing. In other words, the firewall rule created for P1 ip should never ever control the access to P2 ip address. We need to fix the original issue - make StaticNat rules on the SRX. For that we have to treat firewall rule as a static nat rule for a particular port by SRX device if the static nat is enabled for this public ip address in the cloudStack. In all other cases Firewall rule should be just ignored. CASE1: * Get Ip1. * Create PF rule for IP1 and port 22 VM1. Now you can access the Vm1. * Create firewall rule for Ip1. SRX should just ignore this request as it will not do anything CASE2: * Get IP2 * Enable static nat on the IP2 and VM1. Nothing is sent to SRX just yet. * Create firewall rule for IP2 and ports 22-23. Send enable static nat for IP2/VM1 and port 22-23 to the SRX device * Repeat last step for each port (port range) you want to enable static nat for. In other words, you have to make the translation of Firewall rule of the cloudStack to ConfigureStaticNat on SRX when the targeted public IP address is Static nat enabled. In all other cases Firewall commands should be just ignored by the SRX device. Let me know what you think, -Alena. On 10/11/12 6:16 AM, "Jayapal Reddy Uradi" <jayapalreddy.ur...@citrix.com> wrote: >StaticNAT, PortForwarding and Firewall current functionality in SRX >is not similar to the Virtual router. >This functional spec describes the what configuration possible on the >SRX and also the limitation of SRX compared to the functionality in VR. > >Please find the functional spec here: >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Static+NAT,+Port+Fo >rwarding+and+Firewall+Implementation+on+SRX > >Please provide your comments on configuring the SRX device to get >functionality similar to VR. > >Thanks, >Jayapal > >
