THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Page History
Introduction:
This document describes about the Egress firewall rules for the VR. The Egress traffic originates from the VMs and sent to public domain.
By default all Egress /Outbound traffic is allowed. We can have Egress firewall rules to block specified traffic.
Topology:
...
Use Cases:
In general we can have the following the scenarios for Egress traffic rules:
- Block the traffic originating from a particular VM
- Block the traffic originating from the particular Source IP (VM IP) or CIDR
- Block the protocol TCP/UDP/ICMP. Port range Destination port range
Parameters:
Egress firewall rule can have the following parameters:
- VM id (Optional) - Id of the VM to which Egress rule is configured
- Protocol (Optional) - Protocol TCP/UDP
- Source IP or CIDR (Optional) - CIDR of Guest Network
- port range start (Optional) - Source port start
- Source port range end (Optional) - Source port end
- ICMP code (Optional) - ICMP code
- ICMP Type (Optional) - ICMP Type
- Traffic Type - Specifies traffic type ( 'egress' for egress rules)
Parameters Info:
- If no option is specified then all outbound traffic is blocked, so all the arguments are optional.
- Parameter 1 & 3 are mutual exclusive parameters. If VM id is given without parameter 3, firewall
rule configured for the VM source IP and parameter 3 is given parameter 1 is ignored. - Parameter 2, Protocol by default is TCP.
- 4,5 and 6,7, By default port range is all, if only port range start is given then start and end are same
- Parameter 6 is optional. If given firewall rule is configured to block the traffic sent for given CIDR
- Traffic Types is passed 'egress' to identify egress rules
DB Schema changes:
We can use the firewall_rules table for adding egress rules. The egress rules are identified using the traffic_type field by setting the value 'egress'.
- New fields to firewall_rules table
Dest_port_start
Dest_port_end
- New field to firewall_rules_cidr table
Dest_cidr
Chnages to createFirewallRule API:
While calling the createFirewallRule pass the below parameters.
Pass the traffic type 'egress' to specifiy it is egress rule.
vmId -Ip address to which the egress rule is configured
ipaddressid -NULL (This field is NULL for the egress rules)
protocol -TCP/UDP/ICMP
source port start (new) -source port start
source port end (new) - source port end
Destination port start -Destination port range start
Destination port end -Destination port range end
cidr list - Source CIDR list
Destination Cidr list (new) -Destination CIDR list
ICMP Code - ICMP Code
ICMP TYpe - ICMP Type
Traffic_type - Egress, traffic type
Back end changes for VR: iptable changes for egress rule.
Create new chain EGRESS_FILTER in filter table
By default we have the ACCEPT rule at the end of FORWARD chain to accept PRIVATE to PUBLIC traffic. Above this
rule, add iptable rule to send the traffic from PRIVATE to PUBLIC to EGRESS_FILTER* chain.
This chain contains all the rules for filtering egress rules.
Currently we are adding the filter rules based ip, proto, port. In future we can add rules related to source mac, content filtering rules in this chain.
*-A FORWARD -i eth0 -o eth2 -j EGRESS_FILTER
-A FORWARD -i eth0 -o eth2 -j ACCEPT
Ex: Example rule to block the traffic from VM (10.1.1.31), ssh traffic in EGRESS_FILTER chain.
-A EGRESS_FILTER -s 10.1.1.31/32 -p tcp -m tcp --dport 22 -j DROP
Back end changes for External Devices:
This section will updated once the changes done for VR.
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network
Overview
Content Tools
Apps