GitHub user wilderrodrigues opened a pull request:
https://github.com/apache/cloudstack/pull/765
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be seâ¦
â¦t to DROP instead of ACCEPT
- In order to be able to access the routers via the link local interface,
we have to add a rules with NEW and ESTABLISHED state
Tests:
* Deployed 2 zones, basic and advanced, using KVM as hypervisor
* On the basic zone, created 1 security group, added ingress rules to open
port 22 and deployed 1 VM
* SSH into the router and checked that the INPUT/FORWARD policies were
set to DROP
* SSH to the VM
* On the advanced zone, created 1 single VPC (with 2 tiers, 2 puc IPs, 2
VMs and 1 ACL), 1 redundant VPC ((with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL)), 1
isolated network (with 1 VM and 1 pub IP), 1 redundant network (with 1 VM and 1
pub IP)
* SSH into all routers to check that the INPUT/FORWARD policies were set
to DROP
* SSH into all VMs to test the communication
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.26
The authenticity of host '192.168.23.26 (192.168.23.26)' can't be
established.
RSA key fingerprint is cb:42:81:d0:05:97:f4:be:9e:3b:dd:3f:c6:d2:48:e7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.26' (RSA) to the list of known hosts.
root@192.168.23.26's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.23.26 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.22.63
The authenticity of host '192.168.22.63 (192.168.22.63)' can't be
established.
RSA key fingerprint is a2:20:d6:e2:fb:c5:89:94:57:f5:89:b1:a1:6d:63:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.22.63' (RSA) to the list of known hosts.
root@192.168.22.63's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.22.63 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.27
The authenticity of host '192.168.23.27 (192.168.23.27)' can't be
established.
RSA key fingerprint is 20:f1:6d:9b:74:c5:7b:53:10:5c:a0:0c:bc:9f:2a:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.27' (RSA) to the list of known hosts.
root@192.168.23.27's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.27 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.28
The authenticity of host '192.168.23.28 (192.168.23.28)' can't be
established.
RSA key fingerprint is f7:ae:49:46:ba:02:c1:25:5a:50:87:0e:6f:a4:43:a3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.28' (RSA) to the list of known hosts.
root@192.168.23.28's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.28 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.29
The authenticity of host '192.168.23.29 (192.168.23.29)' can't be
established.
RSA key fingerprint is 09:0c:f2:41:a3:74:3d:ee:04:2b:78:ff:a9:91:0d:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.29' (RSA) to the list of known hosts.
root@192.168.23.29's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.23.29 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.30
The authenticity of host '192.168.23.30 (192.168.23.30)' can't be
established.
RSA key fingerprint is 2c:a6:10:f5:6d:4b:d1:70:e2:47:07:19:0b:86:c1:b0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.30' (RSA) to the list of known hosts.
root@192.168.23.30's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.30 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.32
The authenticity of host '192.168.23.32 (192.168.23.32)' can't be
established.
RSA key fingerprint is 6b:85:1e:c7:2e:aa:01:a2:d4:19:e3:ec:a7:69:a1:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.32' (RSA) to the list of known hosts.
root@192.168.23.32's password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.32 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$
I'm now running some automated tests, will post the results here once they
are complete.
@remibergsma @DaanHoogland @bhaisaab @miguelaferreira @wido @karuturi ,
could you guys please have a look?
Cheers,
Wilder
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/schubergphilis/cloudstack fix/default_policies
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/765.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #765
----
commit f5e5f4d0026f8ffd6f3aa7e8e4c7be0cd809d6c9
Author: wilderrodrigues <wrodrig...@schubergphilis.com>
Date: 2015-08-27T13:21:30Z
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to
DROP instead of ACCEPT
- In order to be able to access the routers via the link local interface,
we have to add a rules with NEW and ESTABLISHED state
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
