From 80cfc81bc90e63fadb45026a27b6b7ba0e143d41 Mon Sep 17 00:00:00 2001 From: radhikap Date: Fri, 2 Aug 2013 16:58:20 +0530 Subject: [PATCH] https://issues.apache.org/jira/browse/CLOUDSTACK-2685 --- docs/en-US/creating-network-offerings.xml | 15 +- docs/en-US/egress-firewall-rule.xml | 168 +++++++++++++++------- docs/en-US/ip-forwarding-firewalling.xml | 9 +- docs/en-US/vnmc-cisco.xml | 10 +- 4 files changed, 137 insertions(+), 65 deletions(-) diff --git a/docs/en-US/creating-network-offerings.xml b/docs/en-US/creating-network-offerings.xml index 6e25b27e9ad..4f75781c3cb 100644 --- a/docs/en-US/creating-network-offerings.xml +++ b/docs/en-US/creating-network-offerings.xml @@ -241,7 +241,7 @@ For information on Elastic IP, see . - Redundant router capability. Available only when + Redundant router capability: Available only when Virtual Router is selected as the Source NAT provider. Select this option if you want to use two virtual routers in the network for uninterrupted connection: one operating as the master virtual router and the other as the backup. The master virtual router @@ -251,7 +251,7 @@ reliability if one host is down. - Conserve mode. Indicate whether to use conserve + Conserve mode: Indicate whether to use conserve mode. In this mode, network resources are allocated only when the first virtual machine starts in the network. When conservative mode is off, the public IP can only be used for a single service. For example, a public IP used for a port forwarding rule cannot be @@ -264,9 +264,18 @@ - Tags. Network tag to specify which physical network + Tags: Network tag to specify which physical network to use. + + Default egress policy: Configure the default policy + for firewall egress rules. Options are Allow and Deny. Default is Allow if no egress + policy is specified, which indicates that all the egress traffic is accepted when a + guest network is created from this offering. + To block the egress traffic for a guest network, select Deny. In this case, when you + configure an egress rules for an isolated guest network, rules are added to allow the + specified traffic. + diff --git a/docs/en-US/egress-firewall-rule.xml b/docs/en-US/egress-firewall-rule.xml index 9b45e2e02a2..148b6d6c18a 100644 --- a/docs/en-US/egress-firewall-rule.xml +++ b/docs/en-US/egress-firewall-rule.xml @@ -19,7 +19,7 @@ under the License. -->
- Creating Egress Firewall Rules in an Advanced Zone + Egress Firewall Rules in an Advanced Zone The egress traffic originates from a private network to a public network, such as the Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed from a guest network to the Internet. However, you can control the egress traffic in an Advanced zone @@ -27,7 +27,7 @@ to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy, Block, is applied. Egress firewall rules are supported on Juniper SRX and virtual router. - + The egress firewall rules are not supported on shared networks. Consider the following scenarios to apply egress firewall rules: @@ -44,55 +44,117 @@ specified for TCP, UDP or for ICMP type and code. - To configure an egress firewall rule: - - - Log in to the &PRODUCT; UI as an administrator or end user. - - - In the left navigation, choose Network. - - - In Select view, choose Guest networks, then click the Guest network you want. - - - To add an egress rule, click the Egress rules tab and fill out the following fields to - specify what type of traffic is allowed to be sent out of VM instances in this guest - network: - - - - - - egress-firewall-rule.png: adding an egress firewall rule - - - - - CIDR: (Add by CIDR only) To send traffic only to - the IP addresses within a particular address block, enter a CIDR or a comma-separated - list of CIDRs. The CIDR is the base IP address of the destination. For example, - 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0. - - - Protocol: The networking protocol that VMs uses to - send outgoing traffic. The TCP and UDP protocols are typically used for data exchange - and end-user communications. The ICMP protocol is typically used to send error messages - or network monitoring data. - - - Start Port, End Port: (TCP, UDP only) A range of - listening ports that are the destination for the outgoing traffic. If you are opening a - single port, use the same number in both fields. - - - ICMP Type, ICMP Code: (ICMP only) The type of - message and error code that are sent. - - - - - Click Add. - - +
+ Configuring an Egress Firewall Rule + + + Log in to the &PRODUCT; UI as an administrator or end user. + + + In the left navigation, choose Network. + + + In Select view, choose Guest networks, then click the Guest network you want. + + + To add an egress rule, click the Egress rules tab and fill out the following fields to + specify what type of traffic is allowed to be sent out of VM instances in this guest + network: + + + + + + egress-firewall-rule.png: adding an egress firewall rule + + + + + CIDR: (Add by CIDR only) To send traffic only to + the IP addresses within a particular address block, enter a CIDR or a comma-separated + list of CIDRs. The CIDR is the base IP address of the destination. For example, + 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0. + + + Protocol: The networking protocol that VMs uses + to send outgoing traffic. The TCP and UDP protocols are typically used for data + exchange and end-user communications. The ICMP protocol is typically used to send + error messages or network monitoring data. + + + Start Port, End Port: (TCP, UDP only) A range of + listening ports that are the destination for the outgoing traffic. If you are opening + a single port, use the same number in both fields. + + + ICMP Type, ICMP Code: (ICMP only) The type of + message and error code that are sent. + + + + + Click Add. + + +
+
+ Changing the Default Egress Policy + You can configure the default policy of egress firewall rules in Isolated Advanced + networks. Use the create network offering option to determine whether the default policy + should be block or allow all the traffic to the public network from a guest network. If no + policy is specified, by default all the traffic is allowed from the guest network that you + create by using this network offering. + You have two options: Allow and Deny. + + Allow + If you select Allow for a network offering, by default egress traffic is allowed. + However, when an egress rule is configured for a guest network, rules are applied to block + the specified traffic and rest are allowed. If no egress rules are configured for the + network, egress traffic is accepted. + + + Deny + If you select Deny for a network offering, by default egress traffic for the guest + network is blocked. However, when an egress rules is configured for a guest network, rules + are applied to allow the specified traffic. While implementing a guest network, &PRODUCT; + adds the firewall egress rule specific to the default egress policy for the guest + network. + + This feature is supported only on virtual router and Juniper SRX. + + + Create a network offering with your desirable default egress policy: + + + Log in with admin privileges to the &PRODUCT; UI. + + + In the left navigation bar, click Service Offerings. + + + In Select Offering, choose Network Offering. + + + Click Add Network Offering. + + + In the dialog, make necessary choices, including firewall provider. + + + In the Default egress policy field, specify the behaviour. + + + Click OK. + + + + + Create an isolated network by using this network offering. + Based on your selection, the network will have the egress public traffic blocked or + allowed. + + + On upgrade existing network offerings with firewall service providers will have the + default egress policy DENY. +
diff --git a/docs/en-US/ip-forwarding-firewalling.xml b/docs/en-US/ip-forwarding-firewalling.xml index d7a24571429..d1beb2eb0f2 100644 --- a/docs/en-US/ip-forwarding-firewalling.xml +++ b/docs/en-US/ip-forwarding-firewalling.xml @@ -20,15 +20,16 @@ -->
IP Forwarding and Firewalling - By default, all incoming traffic to the public IP address is rejected. - All outgoing traffic from the guests is also blocked by default. - To allow outgoing traffic, follow the procedure in . + By default, all incoming traffic to the public IP address is rejected. All outgoing traffic + from the guests is also blocked by default. + To allow outgoing traffic, follow the procedure in . To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For example, you can use a firewall rule to open a range of ports on the public IP address, such as 33 through 44. Then use port forwarding rules to direct traffic from individual ports within that range to specific ports on user VMs. For example, one port forwarding rule could route incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP. - +
diff --git a/docs/en-US/vnmc-cisco.xml b/docs/en-US/vnmc-cisco.xml index 924806cfe13..3d201606625 100644 --- a/docs/en-US/vnmc-cisco.xml +++ b/docs/en-US/vnmc-cisco.xml @@ -107,11 +107,11 @@ Guidelines When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired along with the Source NAT IP. The Source NAT IP is used for the ASA outside - interface, whereas the addition IP is used to workaround an ASA limitation. Ensure that this - additional public IP is not released. You can identify this IP as soon as the network is in - implemented state and before acquiring any further public IPs. The additional IP is the one - that is not marked as Source NAT. You can find the IP used for the ASA outside interface by - looking at the Cisco VNMC used in your guest network. + interface, whereas the additional IP is used to workaround an ASA limitation. Ensure that + this additional public IP is not released. You can identify this IP as soon as the network + is in implemented state and before acquiring any further public IPs. The additional IP is + the one that is not marked as Source NAT. You can find the IP used for the ASA outside + interface by looking at the Cisco VNMC used in your guest network.
Using Cisco ASA 1000v Services