Oh I see, I only set egress_default_policy so that doesn't apply to ingress. But still, the initial issue remains. Is there a way for me to allow incoming traffic without specifying ingress rules? Disabling security groups seems to set ingress to reject all incoming traffic (not preceded by outgoing communication first ofc).
Sorry for the spam. /Magnus 2013/11/29 Magnus Janson <mag...@fnutt.us> > With security groups enabled, I need to set ingress rules to allow > external traffic to my virtual hosts. > > With security groups disabled, I can't allow any external traffic to my > virtual hosts. > > Before creating the zone, I performed this: > UPDATE `cloud`.`network_offerings` SET `egress_default_policy`=1 > > Even though the default policy is changed, from reject to allow, I'm still > only able to get external traffic to my virtual hosts with adding ingress > rules. > > Seems like I have no other option then using security groups, and adding > ingress rules to every user. Doesn't seem like there's any global ingress > rules which I could apply to all users. > > Maybe this is the way it was designed? I'm looking for an alternative, as > I don't want to specify the ingress rules for each account. > > Hopefully this makes my issue a bit easier to understand. > > /Magnus > > > 2013/11/29 Magnus Janson <mag...@fnutt.us> > >> Hi Geoff, >> >> Thank you for your reply. >> >> I am using a guest gateway, and the gateway IP maps to a physical >> router/firewall. >> >> Initially I was using DefaultSharedNetworkOfferingWithSGService. But that >> required me to set egress rules for each user to allow all traffic for that >> users vm instances. However, after setting the egress rules the traffic to >> the vm instances worked great. >> >> As I have plenty of users, I would want to skip this step. So I recreated >> the zone, with DefaultSharedNetworkOffering instead. >> >> My understanding was that if I disabled security groups, they wouldn't >> block the incoming traffic to my virtual hosts anymore. However, it seems >> that I'm now stuck with a default policy to block all incoming connections >> and I don't have any possibility to allow incoming connections as I >> disabled (removed) the security groups feature. >> >> The issue here seems to be that cloudstack by default rejects all >> incoming traffic, and I can't figure out how to change that behaviours. >> >> /Magnus >> >> >> 2013/11/28 Geoff Higginbottom <geoff.higginbot...@shapeblue.com> >> >>> Magnus, >>> >>> A Shared Network does not provide Source NAT, so therefore does not act >>> as the Gateway. When you created the network, you would have specified a >>> 'Guest Gateway' IP, this IP needs to map to a Physical Router/Firewall >>> which will provide the Routing/Firewall functionality. >>> >>> As the 'Default Shared Network' offering only provides DHCP, DNS & User >>> Data, none of the Firewall, Egress Rules VPN, LB features etc will be >>> available to you. >>> >>> Regards >>> >>> Geoff Higginbottom >>> >>> D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581 >>> >>> geoff.higginbot...@shapeblue.com >>> >>> -----Original Message----- >>> From: Magnus Janson [mailto:mag...@fnutt.us] >>> Sent: 28 November 2013 16:57 >>> To: users@cloudstack.apache.org >>> Subject: Re: Allow all external traffic (any tcp/udp/icmp) to virtual >>> hosts >>> >>> I'm not using a firewall provider, so my initial question remains. >>> >>> /Magnus >>> >>> >>> 2013/11/28 Magnus Janson <mag...@fnutt.us> >>> >>> > Oh, seems like the answer is found here: >>> > https://support.getcloudservices.com/entries/21993512-CloudStack-Enabl >>> > e-External-Access >>> > >>> > I'll try this and get back here in case I run into any trouble I can't >>> > solve. >>> > >>> > /Magnus >>> > >>> > >>> > 2013/11/28 Magnus Janson <mag...@fnutt.us> >>> > >>> >> Hi, >>> >> >>> >> How do i allow all external traffic (any tcp/udp/icmp) to my virtual >>> >> hosts? >>> >> >>> >> I'm using DefaultSharedNetworkOffering in a BASIC network. >>> >> >>> >> Security group and provider is not being used. >>> >> >>> >> So far, I've tried to change the egress_default_policy. I couldn't >>> >> find any way to perform this through the UI so I did it manually in >>> >> the database and restarted the network: >>> >> UPDATE `cloud`.`network_offerings` SET `egress_default_policy`=1 >>> >> WHERE `name`='DefaultSharedNetworkOffering'; >>> >> >>> >> Still, it seems that all incoming traffic is rejected. >>> >> >>> >> Any pointers on how to achieve this would be highly appreciated. >>> >> >>> >> Sincerely, >>> >> Magnus >>> >> >>> > >>> > >>> This email and any attachments to it may be confidential and are >>> intended solely for the use of the individual to whom it is addressed. Any >>> views or opinions expressed are solely those of the author and do not >>> necessarily represent those of Shape Blue Ltd or related companies. If you >>> are not the intended recipient of this email, you must neither take any >>> action based upon its contents, nor copy or show it to anyone. Please >>> contact the sender if you believe you have received this email in error. >>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >>> Services India LLP is a company incorporated in India and is operated under >>> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a >>> company incorporated in Brasil and is operated under license from Shape >>> Blue Ltd. ShapeBlue is a registered trademark. >>> >> >> >
