understood. I assume this is the documented (in a FS or some such design doc) behavior, correct? Thanks for the prompt reply Jaypal!
On Tue, May 14, 2013 at 9:58 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > For the createFirewallRule and createEgressFirewallRule APIs the port > parameters are optional. > If you don't specify the port range for the prototocol (TCP) it allows all > the tcp traffic. > > Ingress: > 1. First firewall rules filters traffic then PF/Static NAT will NAT to > the specific VM. > If you specify tcp with out ports all tcp traffic on IP is allowed then > PF/Static NAT rule (PF ports) decides to which > VM the traffic should be NATed. > > Egress: > Traffic from guest network to public network is filtered by egress. > If you specify the tcp with out ports all egress tcp traffic is allowed. > > Thanks, > Jayapal > > > -----Original Message----- > > From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On > > Behalf Of Will Stevens > > Sent: Wednesday, 15 May 2013 12:19 AM > > To: dev@cloudstack.apache.org; aemne...@gmail.com > > Subject: Re: Firewall rule question > > > > Ya, I am not sure. I am working off a master branch from about 2-3 weeks > > ago. I was kind of expecting it to error and it didn't, so it was not > clear how > > that case would behave. I am currently developing an integration with > the > > Palo Alto firewall and they don't support specifying a protocol like TCP > > without any port information. I still have to finalize the logic > associated with > > that edge case, so I wanted to understand what the expected behaviour was > > from that config. > > > > > > On Tue, May 14, 2013 at 2:41 PM, Ahmad Emneina <aemne...@gmail.com> > > wrote: > > > > > I'm hoping thats not the default behavior, and nothing happens on the > > > firewall. I guess the fact that empty values entered returns success > > > is a bug? > > > > > > > > > On Tue, May 14, 2013 at 8:00 AM, Will Stevens <wstev...@cloudops.com> > > > wrote: > > > > > > > This applies to both Egress firewall rules as well as IP specific > > > firewall > > > > rules. > > > > > > > > If you specify TCP but do not specify any port details, it saves > > > > fine. I am wondering what this config implies. Does this mean that > > > > all TCP > > > traffic > > > > is allowed? > > > > > > > > Thanks, > > > > > > > > Will > > > > > > > >
