Agree with Kishan Kavala and Jayapal. On Thu, Jul 30, 2015 at 2:13 PM, Kishan Kavala <kishan.kav...@citrix.com> wrote:
> This is a security issue with high impact. > We should treat it as a blocker. > > -----Original Message----- > From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] > Sent: 30 July 2015 02:07 PM > To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org> > Subject: Re: [Blocker] Default ip table rules on VR > > I see VR ingress traffic is blocked by default from iptables mangle table. > But on the guest interface all the traffic is accepted. > Also egress firewall rule will break because of FORWARD policy. > > Thanks, > Jayapal > > On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi < > jayapalreddy.ur...@citrix.com> wrote: > > > > > It is security concern on the VR. All the ingress traffic onto the VR is > accepted. > > Let it be blocker. > > > > Thanks, > > Jayapal > > > > On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogl...@gmail.com> > > wrote: > > > >> I changed it to critical. It is only a blocker if we agree on this > >> list that it is. > >> > >> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanj...@apache.org> wrote: > >>> Hi, > >>> > >>> In latest ACS builds, the ip table rules in VR have ACCEPT as the > >>> default policy in INPUT and FORWARD chains, instead of DROP. > >>> > >>> Created a blocker bug for this issue > >>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688 > >>> > >>> Can somebody please fix it? > >>> > >>> Thanks, > >>> Sanjeev > >> > >> > >> > >> -- > >> Daan > > > >
