Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153301644
@wilderrodrigues apart from the issue mentioned in CLOUDSTACK-9018, I found
the below issue.
The egress rule added in a default egress ALLOW network doesnt block the
traffic.
On default egress DENY network, I added a rule to allow 22. iptables rules
look fine and I am able to ssh from a vm created in this network
```
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
4 288 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
```
```
[root@egress-deny-vm ~]# ssh 10.147.28.48
root@10.147.28.48's password:
Last login: Tue Nov 3 08:49:09 2015 from 10.147.30.176
```
once I delete the rule, I am not able to ssh from the vm anymore and
iptables rule is deleted. Which is expected.
But, incase of default egress ALLLOW network, any egress rule added should
be to block the traffic. ie) rules should be added with target DROP
when I add egress rule to block 22, iptables rule created is to accept 22
and the port is not blocked
```
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
1 84 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
```
and ssh is not blocked from a vm created in this network(even after
creating the egress rule to block it).
```
root@10.147.28.48's password:
Last login: Tue Nov 3 08:55:04 2015 from 10.147.30.173
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
