Introduction:
This document describes about the Egress firewall rules for the VR. The Egress traffic originates from the VMs and sent to public domain.
By default all Egress /Outbound traffic is allowed. We can have Egress firewall rules to block specified traffic.
Topology:
...
Use Cases:
In general we can have the following the scenarios for Egress traffic rules:
Parameters:
Egress firewall rule can have the following parameters:
Parameters Info:
DB Schema changes:
We can use the firewall_rules table for adding egress rules. The egress rules are identified using the traffic_type field by setting the value 'egress'.
Dest_port_start
Dest_port_end
Dest_cidr
Chnages to createFirewallRule API:
While calling the createFirewallRule pass the below parameters.
Pass the traffic type 'egress' to specifiy it is egress rule.
vmId -Ip address to which the egress rule is configured
ipaddressid -NULL (This field is NULL for the egress rules)
protocol -TCP/UDP/ICMP
source port start (new) -source port start
source port end (new) - source port end
Destination port start -Destination port range start
Destination port end -Destination port range end
cidr list - Source CIDR list
Destination Cidr list (new) -Destination CIDR list
ICMP Code - ICMP Code
ICMP TYpe - ICMP Type
Traffic_type - Egress, traffic type
Back end changes for VR: iptable changes for egress rule.
Create new chain EGRESS_FILTER in filter table
By default we have the ACCEPT rule at the end of FORWARD chain to accept PRIVATE to PUBLIC traffic. Above this
rule, add iptable rule to send the traffic from PRIVATE to PUBLIC to EGRESS_FILTER* chain.
This chain contains all the rules for filtering egress rules.
Currently we are adding the filter rules based ip, proto, port. In future we can add rules related to source mac, content filtering rules in this chain.
*-A FORWARD -i eth0 -o eth2 -j EGRESS_FILTER
-A FORWARD -i eth0 -o eth2 -j ACCEPT
Ex: Example rule to block the traffic from VM (10.1.1.31), ssh traffic in EGRESS_FILTER chain.
-A EGRESS_FILTER -s 10.1.1.31/32 -p tcp -m tcp --dport 22 -j DROP
Back end changes for External Devices:
This section will updated once the changes done for VR.
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network