Thanks for working on it Wilder !! On Thu, Jul 30, 2015 at 6:05 PM, Wilder Rodrigues < wrodrig...@schubergphilis.com> wrote:
> Hi, > > We discussed that one yesterday and I already assigned the issue to myself > on Jira. I will fix it. > > Cheers, > WIlder > > > > > On 30 Jul 2015, at 14:09, Sanjeev N <sanj...@apache.org> wrote: > > > > Agree with Kishan Kavala and Jayapal. > > > > On Thu, Jul 30, 2015 at 2:13 PM, Kishan Kavala <kishan.kav...@citrix.com > > > > wrote: > > > >> This is a security issue with high impact. > >> We should treat it as a blocker. > >> > >> -----Original Message----- > >> From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] > >> Sent: 30 July 2015 02:07 PM > >> To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org> > >> Subject: Re: [Blocker] Default ip table rules on VR > >> > >> I see VR ingress traffic is blocked by default from iptables mangle > table. > >> But on the guest interface all the traffic is accepted. > >> Also egress firewall rule will break because of FORWARD policy. > >> > >> Thanks, > >> Jayapal > >> > >> On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi < > >> jayapalreddy.ur...@citrix.com> wrote: > >> > >>> > >>> It is security concern on the VR. All the ingress traffic onto the VR > is > >> accepted. > >>> Let it be blocker. > >>> > >>> Thanks, > >>> Jayapal > >>> > >>> On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogl...@gmail.com> > >>> wrote: > >>> > >>>> I changed it to critical. It is only a blocker if we agree on this > >>>> list that it is. > >>>> > >>>> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanj...@apache.org> > wrote: > >>>>> Hi, > >>>>> > >>>>> In latest ACS builds, the ip table rules in VR have ACCEPT as the > >>>>> default policy in INPUT and FORWARD chains, instead of DROP. > >>>>> > >>>>> Created a blocker bug for this issue > >>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688 > >>>>> > >>>>> Can somebody please fix it? > >>>>> > >>>>> Thanks, > >>>>> Sanjeev > >>>> > >>>> > >>>> > >>>> -- > >>>> Daan > >>> > >> > >> > >
