> -----Original Message----- > From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] > Sent: Wednesday, May 15, 2013 10:29 AM > To: dev@cloudstack.apache.org; aemne...@gmail.com > Subject: RE: Firewall rule question > > For the createFirewallRule and createEgressFirewallRule APIs the port > parameters are optional. > If you don't specify the port range for the prototocol (TCP) it allows all > the tcp > traffic. > > Ingress: > 1. First firewall rules filters traffic then PF/Static NAT will NAT to the > specific > VM. > If you specify tcp with out ports all tcp traffic on IP is allowed then > PF/Static > NAT rule (PF ports) decides to which VM the traffic should be NATed. > > Egress: > Traffic from guest network to public network is filtered by egress. > If you specify the tcp with out ports all egress tcp traffic is allowed. >
In case of egress even the cidr is optional. If nothing is specified it defaults to the guest network cidr. > Thanks, > Jayapal > > > -----Original Message----- > > From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On > > Behalf Of Will Stevens > > Sent: Wednesday, 15 May 2013 12:19 AM > > To: dev@cloudstack.apache.org; aemne...@gmail.com > > Subject: Re: Firewall rule question > > > > Ya, I am not sure. I am working off a master branch from about 2-3 > > weeks ago. I was kind of expecting it to error and it didn't, so it > > was not clear how that case would behave. I am currently developing > > an integration with the Palo Alto firewall and they don't support > > specifying a protocol like TCP without any port information. I still > > have to finalize the logic associated with that edge case, so I wanted > > to understand what the expected behaviour was from that config. > > > > > > On Tue, May 14, 2013 at 2:41 PM, Ahmad Emneina <aemne...@gmail.com> > > wrote: > > > > > I'm hoping thats not the default behavior, and nothing happens on > > > the firewall. I guess the fact that empty values entered returns > > > success is a bug? > > > > > > > > > On Tue, May 14, 2013 at 8:00 AM, Will Stevens > > > <wstev...@cloudops.com> > > > wrote: > > > > > > > This applies to both Egress firewall rules as well as IP specific > > > firewall > > > > rules. > > > > > > > > If you specify TCP but do not specify any port details, it saves > > > > fine. I am wondering what this config implies. Does this mean > > > > that all TCP > > > traffic > > > > is allowed? > > > > > > > > Thanks, > > > > > > > > Will > > > > > > >
