For the createFirewallRule and createEgressFirewallRule APIs the port parameters are optional. If you don't specify the port range for the prototocol (TCP) it allows all the tcp traffic.
Ingress: 1. First firewall rules filters traffic then PF/Static NAT will NAT to the specific VM. If you specify tcp with out ports all tcp traffic on IP is allowed then PF/Static NAT rule (PF ports) decides to which VM the traffic should be NATed. Egress: Traffic from guest network to public network is filtered by egress. If you specify the tcp with out ports all egress tcp traffic is allowed. Thanks, Jayapal > -----Original Message----- > From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On > Behalf Of Will Stevens > Sent: Wednesday, 15 May 2013 12:19 AM > To: dev@cloudstack.apache.org; aemne...@gmail.com > Subject: Re: Firewall rule question > > Ya, I am not sure. I am working off a master branch from about 2-3 weeks > ago. I was kind of expecting it to error and it didn't, so it was not clear > how > that case would behave. I am currently developing an integration with the > Palo Alto firewall and they don't support specifying a protocol like TCP > without any port information. I still have to finalize the logic associated > with > that edge case, so I wanted to understand what the expected behaviour was > from that config. > > > On Tue, May 14, 2013 at 2:41 PM, Ahmad Emneina <aemne...@gmail.com> > wrote: > > > I'm hoping thats not the default behavior, and nothing happens on the > > firewall. I guess the fact that empty values entered returns success > > is a bug? > > > > > > On Tue, May 14, 2013 at 8:00 AM, Will Stevens <wstev...@cloudops.com> > > wrote: > > > > > This applies to both Egress firewall rules as well as IP specific > > firewall > > > rules. > > > > > > If you specify TCP but do not specify any port details, it saves > > > fine. I am wondering what this config implies. Does this mean that > > > all TCP > > traffic > > > is allowed? > > > > > > Thanks, > > > > > > Will > > > > >
