[
https://issues.apache.org/jira/browse/CLOUDSTACK-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14016569#comment-14016569
]
John Kinsella commented on CLOUDSTACK-6820:
-------------------------------------------
Chatted with Daan about this on security@ - doesn't look like this affects the
security of ACS, so I'm leaving it public.
So - the firewall setup on the SSVMs in general is sort of annoying, in that
without
building a new image there’s not currently a way to update those rulesets
without
manual tweaking. Seems like there should be a default ruleset, with the ability
to
override the ruleset either per-VM or in general.
Now that I think about it - what seems ideal would be to have an “advanced”
option
to instruct a SSVM to connect to a puppet/chef/whatever server to get it’s
configuration data.
Also - just a reminder to not block all ICMP as a whole. Block echo/reply and
the time-realted messages if you wish, but you want things like MTU negotiation
to go through.
> VPC router ICMP acl
> -------------------
>
> Key: CLOUDSTACK-6820
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6820
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.3.0
> Reporter: Thijs Houtenbos
> Priority: Minor
> Labels: security
>
> There is a default allow icmp any any on the VPC router vm which cannot be
> controlled with the network ACLs. This makes it impossible to block certain
> icmp traffic.
> root@r-4135-VM:~# iptables -L -v | grep icmp
> 10784 901K ACCEPT icmp -- any any anywhere anywhere
--
This message was sent by Atlassian JIRA
(v6.2#6252)
