Keeping Brian in the loop too On 10/16/12 4:04 PM, "Sangeetha Hariharan" <sangeetha.hariha...@citrix.com> wrote:
>Jayapal, > >I had another question regarding the UI implementation: > >In UI Changes section , following is mentioned: > >"The following changes are needed for the networks page for the external >device SRX network. > >1. Network ->Guest Network ->View IP Addresses -> <IP Address> -> >Configuration > >a. Hide the Firewall when Port forwarding is configured on IP Address." > >>> How do we prevent the case when the user creates a firewall first and >>>then he tries to create a PF/LB rule (when we use SRX/F5 inline mode) ? >>>In this case what should be the expected behavior? Do we actually >>>configure the user created firewall , PF rule and also create firewalls >>>for the PF rule (if the port used in the create firewall is different >>>from that provided in the PF rule) ? > >Thanks >Sangeetha > >-----Original Message----- >From: Sangeetha Hariharan >Sent: Tuesday, October 16, 2012 1:47 PM >To: cloudstack-dev@incubator.apache.org; Alena Prokharchyk >Subject: RE: StaticNAT, Portforwarding and FIrewall implemenation on the >SRX > >Hi Jayapal, > >Had the following questions after reviewing the FS. > > >1) "Case 4: >Firewall rule is not deleted when disable the Static NAT. >1. Acquire Ip P4. >2. Create Firewall for port 22. >3. Enable static NAT on P2 for VM2. >4. Disable static NAT. >5. Enable static NAT >7.PublicNetwork# ssh <P4> (ssh to VM1 should success)" > >In this case, step 3 , i assume should be P4. > >After Step4 , In the SRX side , we will see both the firewall rule and >static NAT being deleted. But in cloud DB we will still have the firewall >rules present. Is this correct? > >After Step5 , In the SRX side , we will see both the firewall rule and >static NAT being created back in SRX side. Is this correct? > >2) What will the behavior in the following use case where user deletes a >firewall that was created for a Static NAT rule ? > >1. Acquire Ip address. >2. Create an Static NAT rule. >3. Create Firewall rules for port 22. >4. Create Firewall rule for port 80. >5. Delete firewall rule for port 22. >6. Delete firewall rule for port 80. >7. Add firewall rule for port 22. > >After Step 5 , >In SRX , we expect the firewall rule for port 22 to be deleted. > >After Step 6 , > >In SRX , Do we expect the firewall rule for port 80 and Static NAT rule >to be deleted ? > >After Step 7 , > >In SRX , Do we expect the firewall rule for port 22 and Static NAT rule >to be created ? > >-Thanks >Sangeetha > >-----Original Message----- >From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] >Sent: Tuesday, October 16, 2012 7:43 AM >To: cloudstack-dev@incubator.apache.org; Alena Prokharchyk >Subject: RE: StaticNAT, Portforwarding and FIrewall implemenation on the >SRX > >Updated the FS as per the discussion. > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Static+NAT,+Port+Fo >rwarding+and+Firewall+Implementation+on+SRX > > >Thanks, >Jayapal > >> -----Original Message----- >> From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] >> Sent: Tuesday, October 16, 2012 12:44 PM >> To: Alena Prokharchyk; cloudstack-dev@incubator.apache.org >> Subject: RE: StaticNAT, Portforwarding and FIrewall implemenation on >> the SRX >> >> Please see my comments inline. >> >> -Jayapal >> >> From: Alena Prokharchyk >> Sent: Monday, October 15, 2012 10:04 PM >> To: Jayapal Reddy Uradi; cloudstack-dev@incubator.apache.org >> Subject: Re: StaticNAT, Portforwarding and FIrewall implemenation on >> the SRX >> >> >> >> From: Jayapal Reddy Uradi >> <jayapalreddy.ur...@citrix.com<mailto:jayapalreddy.ur...@citrix.com>> >> To: Alena Prokharchyk >> <alena.prokharc...@citrix.com<mailto:alena.prokharc...@citrix.com>>, >> "cloudstack-dev@incubator.apache.org<mailto:cloudstack- >> d...@incubator.apache.org>" <cloudstack- >> d...@incubator.apache.org<mailto:cloudstack-dev@incubator.apache.org>> >> Subject: RE: StaticNAT, Portforwarding and FIrewall implemenation on >> the SRX >> >> Hi Alena, >> >> Please see my comments inline, >> >> -Jayapal >> >> -----Original Message----- >> From: Alena Prokharchyk >> Sent: Friday, October 12, 2012 10:19 PM >> To: Jayapal Reddy Uradi; cloudstack- >> d...@incubator.apache.org<mailto:cloudstack-dev@incubator.apache.org> >> Subject: Re: StaticNAT, Portforwarding and FIrewall implemenation on >> the SRX Jayapal, please see my comments inline. >> -Alena. >> On 10/11/12 11:07 PM, "Jayapal Reddy Uradi" >> <jayapalreddy.ur...@citrix.com<mailto:jayapalreddy.ur...@citrix.com>> >> wrote: >> >Alena, >> > >> >Please find my inline comments. >> > >> >Thanks, >> >Jayapal >> > >> >Thanks, >> >Jayapal >> > >> >-----Original Message----- >> >From: Alena Prokharchyk >> >Sent: Friday, October 12, 2012 5:54 AM >> >To: >> >cloudstack-dev@incubator.apache.org<mailto:cloudstack- >> d...@incubator.apa >> >che.org>; Jayapal Reddy Uradi >> >Subject: Re: StaticNAT, Portforwarding and FIrewall implemenation on >> >the SRX >> > >> >Jayapal, I reviewed the spec. My comments: >> > >> >If firewall rules per public IP address can't be configured on the >> >SRX, and there is no way to fix it (your spec says so in "Limitation" >> >section), why do we introduce all this complexity? To me it seems >> >like we are trying to show the user that he is controlling public >> >ports on SRX, while in fact it's not true. It should work just like >> >it used to work >> >before: the Ingress traffic flow from public to guest interfaces >> >should be controlled by PF/StaticNat/LB rule; Ingress traffic to >> >public ip address is allowed always. When there is no PF/LB/StaticNat >> >rule for the Guest network port, the traffic to Guest port is >> >blocked. Once you create PF rule for publicIp >> >+ guestIp, the access to the specific port of the Guest network is >> >+ opened >> >automatically. The example below (taken from the spec): >> > >> >Example: >> > >> >1. Acquire IP P1. >> >2. Create Firewall for port 22 - port 22. >> >3. Configure the port forwarding for Public IP P1, user VM V1 4. >> >Acquire another IP P2. >> >5. Enable staticNAT on P2 for VM V1 >> > >> >//Jayapal >> >Let me change the case here and going to update in FS. >> >6.Add firewall rule for P2 for VM V1 on ports 80 7. Now In SRX, using >> >P2 user can access the VM V1 ports 22 and 80. >> Still doesn't work like the regular Firewall rule. You enabled >> Firewall for port >> 22 on P1, and for port 80 on P2 and it results in being able to access >> port 22/80 on P2? Firewall rule on one public IP should never affect >> the behavior of another public IP. That's not how Firewall rule is >>supposed to work. >> > >> >7. Now P1 and P2 both can access the VM port 22 - /// you haven't >> >created the Firewall rule for the P2, yet the access from it is >> >enabled implicitly to 22:22 port. It's very confusing. In other >> >words, the firewall rule created for P1 ip should never ever control >> >the access to >> >P2 ip address. >> > >> > >> >We need to fix the original issue - make StaticNat rules on the SRX. >> >For that we have to treat firewall rule as a static nat rule for a >> >particular port by SRX device if the static nat is enabled for this >> >public ip address in the cloudStack. In all other cases Firewall rule >> >should be just ignored. >> > >> >//Jayapal >> >I agree with ignoring firewall for port forwarding. >> >But in VR the PF rule works only after adding Firewall rule for the >> >public ports. >> It is ok to leave it the old way for the SRX. Your limitation clearly >> says that you can't control the public IP / ports on the SRX anyway. >> So lets just fix the Static nat rule; it would also leave less chance >> for regressing in PF rules functionality. >> > >> >CASE1: >> > >> >* Get Ip1. >> >* Create PF rule for IP1 and port 22 VM1. Now you can access the Vm1. >> >* Create firewall rule for Ip1. SRX should just ignore this request >> >as it will not do anything >> > >> > >> >CASE2: >> > >> >* Get IP2 >> >* Enable static nat on the IP2 and VM1. Nothing is sent to SRX just >>yet. >> >* Create firewall rule for IP2 and ports 22-23. Send enable static >> >nat for >> >IP2/VM1 and port 22-23 to the SRX device >> >* Repeat last step for each port (port range) you want to enable >> >static nat for. >> > >> >//Jayapal >> >In SRX, below issue can still exist. >> >Case3: >> >In addition to CASE1, CASE2, Create another PF rule for IP1 and port >> >80 VM1. Now you can access the Vm1 port 80. >> >Now P2 can access the port 80 without Firewall rule on Port 80. >> >Because security policy in SRX is not differentiated for Public IPs. >> You can never create the PF or LB rule for the ip address that has >> Static nat rule assigned. >> [Jayapal] >> But we can create >> - PF: P1, VM V1 and ports 22-22 >> - Static NAT: P2 VM V1, and Firewall port 80 Here P2 can access V1's >> ports 22, 80. This is specific to SRX. >> >> If it was always the case for SRX, then we just have to document it. I >> believe even with the initial design you've proposed, it would have >>been the case. >> You can't control public ports with Firewall rules. >> Please confirm. >> [Jayapal] >> This case is always with the SRX. >> >> > >> >In other words, you have to make the translation of Firewall rule of >> >the cloudStack to ConfigureStaticNat on SRX when the targeted public >> >IP address is Static nat enabled. In all other cases Firewall >> >commands should be just ignored by the SRX device. >> > >> > >> >Let me know what you think, >> >//Jayapal >> >I agree with you. >> >Current port forwarding rule have Public Port range and Private Port >> >range. >> >So port forwarding allows only the Public Ports that we added. Again >> >allowing Ports using Firewall is of no use. >> >Example: >> >Port forwarding rule: public Ports 22 and private ports 22 Here Port >> >Forwarding can allow only 22. so no need to explicitly add using >> >the firewall to allow If you donĀ¹t want to allow the ports DELETE the >> >Port Forwarding rule. >> >On top of PF adding Firewall rule to allow ports 22-80 of no use >> >because there is port forwarding rule for 23-80. >> It's allright. We can change the UI to disable Firewall rule block on >> the networking diagram (when the PF provider is SRX). So only PF/LB >> and Static nat functionality will be enabled. For opening ports for >> static nat the UI will still be using createFirewall rule calls, but >> it will not be shown to the user as "Firewall" >> > >> >-Alena. >> > >> > >> > >> > >> > >> >On 10/11/12 6:16 AM, "Jayapal Reddy Uradi" >> ><jayapalreddy.ur...@citrix.com<mailto:jayapalreddy.ur...@citrix.com>> >> >wrote: >> > >> >>StaticNAT, PortForwarding and Firewall current functionality in >> >>SRX is not similar to the Virtual router. >> >>This functional spec describes the what configuration possible on >> >>the SRX and also the limitation of SRX compared to the >>functionality in VR. >> >> >> >>Please find the functional spec here: >> >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Static+NAT,+P >> or >> >>t >> >>+Fo >> >>rwarding+and+Firewall+Implementation+on+SRX >> >> >> >>Please provide your comments on configuring the SRX device to get >> >>functionality similar to VR. >> >> >> >>Thanks, >> >>Jayapal >> >> >> >> >> > >> > >> > >> >
