Guys, I see votes here but no arguments. Why is it a blocker? >>> From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] >>> Sent: 30 July 2015 02:07 PM >>> To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org> >>> Subject: Re: [Blocker] Default ip table rules on VR >>> >>> I see VR ingress traffic is blocked by default from iptables mangle table. So, ...
>>> But on the guest interface all the traffic is accepted. this is behind the VR. >>> Also egress firewall rule will break because of FORWARD policy. On Thu, Jul 30, 2015 at 2:35 PM, Wilder Rodrigues <wrodrig...@schubergphilis.com> wrote: > Hi, > > We discussed that one yesterday and I already assigned the issue to myself on > Jira. I will fix it. > > Cheers, > WIlder > > > >> On 30 Jul 2015, at 14:09, Sanjeev N <sanj...@apache.org> wrote: >> >> Agree with Kishan Kavala and Jayapal. >> >> On Thu, Jul 30, 2015 at 2:13 PM, Kishan Kavala <kishan.kav...@citrix.com> >> wrote: >> >>> This is a security issue with high impact. >>> We should treat it as a blocker. >>> >>> -----Original Message----- >>> From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] >>> Sent: 30 July 2015 02:07 PM >>> To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org> >>> Subject: Re: [Blocker] Default ip table rules on VR >>> >>> I see VR ingress traffic is blocked by default from iptables mangle table. >>> But on the guest interface all the traffic is accepted. >>> Also egress firewall rule will break because of FORWARD policy. >>> >>> Thanks, >>> Jayapal >>> >>> On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi < >>> jayapalreddy.ur...@citrix.com> wrote: >>> >>>> >>>> It is security concern on the VR. All the ingress traffic onto the VR is >>> accepted. >>>> Let it be blocker. >>>> >>>> Thanks, >>>> Jayapal >>>> >>>> On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogl...@gmail.com> >>>> wrote: >>>> >>>>> I changed it to critical. It is only a blocker if we agree on this >>>>> list that it is. >>>>> >>>>> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanj...@apache.org> wrote: >>>>>> Hi, >>>>>> >>>>>> In latest ACS builds, the ip table rules in VR have ACCEPT as the >>>>>> default policy in INPUT and FORWARD chains, instead of DROP. >>>>>> >>>>>> Created a blocker bug for this issue >>>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688 >>>>>> >>>>>> Can somebody please fix it? >>>>>> >>>>>> Thanks, >>>>>> Sanjeev >>>>> >>>>> >>>>> >>>>> -- >>>>> Daan >>>> >>> >>> > -- Daan
