apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

https://issues.apache.org/jira/browse/CLOUDSTACK-2685

Browse Source
This commit is contained in:
radhikap 2013-08-02 16:58:20 +05:30
parent 97da9e70f5
commit 80cfc81bc9
4 changed files with 137 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/en-US/creating-network-offerings.xml
View File

@ -241,7 +241,7 @@
<para>For information on Elastic IP, see <xref linkend="elastic-ip"/>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Redundant router capability</emphasis>. Available only when
<para><emphasis role="bold">Redundant router capability</emphasis>: Available only when
Virtual Router is selected as the Source NAT provider. Select this option if you want to
use two virtual routers in the network for uninterrupted connection: one operating as
the master virtual router and the other as the backup. The master virtual router
@ -251,7 +251,7 @@
reliability if one host is down.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Conserve mode</emphasis>. Indicate whether to use conserve
<para><emphasis role="bold">Conserve mode</emphasis>: Indicate whether to use conserve
mode. In this mode, network resources are allocated only when the first virtual machine
starts in the network. When conservative mode is off, the public IP can only be used for
a single service. For example, a public IP used for a port forwarding rule cannot be
@ -264,9 +264,18 @@
</note>
</listitem>
<listitem>
<para><emphasis role="bold">Tags</emphasis>. Network tag to specify which physical network
<para><emphasis role="bold">Tags</emphasis>: Network tag to specify which physical network
to use.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Default egress policy</emphasis>: Configure the default policy
for firewall egress rules. Options are Allow and Deny. Default is Allow if no egress
policy is specified, which indicates that all the egress traffic is accepted when a
guest network is created from this offering. </para>
<para>To block the egress traffic for a guest network, select Deny. In this case, when you
configure an egress rules for an isolated guest network, rules are added to allow the
specified traffic.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>

78
docs/en-US/egress-firewall-rule.xml
View File

@ -19,7 +19,7 @@
under the License.
-->
<section id="egress-firewall-rule">
<title>Creating Egress Firewall Rules in an Advanced Zone</title>
<title>Egress Firewall Rules in an Advanced Zone</title>
<para>The egress traffic originates from a private network to a public network, such as the
Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed from a
guest network to the Internet. However, you can control the egress traffic in an Advanced zone
@ -44,7 +44,8 @@
specified for TCP, UDP or for ICMP type and code.</para>
</listitem>
</itemizedlist>
<para>To configure an egress firewall rule:</para>
<section>
<title>Configuring an Egress Firewall Rule</title>
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
@ -75,15 +76,15 @@
192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Protocol</emphasis>: The networking protocol that VMs uses to
send outgoing traffic. The TCP and UDP protocols are typically used for data exchange
and end-user communications. The ICMP protocol is typically used to send error messages
or network monitoring data.</para>
<para><emphasis role="bold">Protocol</emphasis>: The networking protocol that VMs uses
to send outgoing traffic. The TCP and UDP protocols are typically used for data
exchange and end-user communications. The ICMP protocol is typically used to send
error messages or network monitoring data.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Start Port, End Port</emphasis>: (TCP, UDP only) A range of
listening ports that are the destination for the outgoing traffic. If you are opening a
single port, use the same number in both fields.</para>
listening ports that are the destination for the outgoing traffic. If you are opening
a single port, use the same number in both fields.</para>
</listitem>
<listitem>
<para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>: (ICMP only) The type of
@ -95,4 +96,65 @@
<para>Click Add.</para>
</listitem>
</orderedlist>
</section>
<section id="default-egress-policy">
<title>Changing the Default Egress Policy</title>
<para>You can configure the default policy of egress firewall rules in Isolated Advanced
networks. Use the create network offering option to determine whether the default policy
should be block or allow all the traffic to the public network from a guest network. If no
policy is specified, by default all the traffic is allowed from the guest network that you
create by using this network offering.</para>
<para>You have two options: Allow and Deny.</para>
<formalpara>
<title>Allow</title>
<para>If you select Allow for a network offering, by default egress traffic is allowed.
However, when an egress rule is configured for a guest network, rules are applied to block
the specified traffic and rest are allowed. If no egress rules are configured for the
network, egress traffic is accepted.</para>
</formalpara>
<formalpara>
<title>Deny</title>
<para>If you select Deny for a network offering, by default egress traffic for the guest
network is blocked. However, when an egress rules is configured for a guest network, rules
are applied to allow the specified traffic. While implementing a guest network, &PRODUCT;
adds the firewall egress rule specific to the default egress policy for the guest
network.</para>
</formalpara>
<para>This feature is supported only on virtual router and Juniper SRX.</para>
<orderedlist>
<listitem>
<para>Create a network offering with your desirable default egress policy:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Log in with admin privileges to the &PRODUCT; UI.</para>
</listitem>
<listitem>
<para>In the left navigation bar, click Service Offerings.</para>
</listitem>
<listitem>
<para>In Select Offering, choose Network Offering.</para>
</listitem>
<listitem>
<para>Click Add Network Offering.</para>
</listitem>
<listitem>
<para>In the dialog, make necessary choices, including firewall provider.</para>
</listitem>
<listitem>
<para>In the Default egress policy field, specify the behaviour.</para>
</listitem>
<listitem>
<para>Click OK.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>Create an isolated network by using this network offering.</para>
<para>Based on your selection, the network will have the egress public traffic blocked or
allowed.</para>
</listitem>
</orderedlist>
<para>On upgrade existing network offerings with firewall service providers will have the
default egress policy DENY.</para>
</section>
</section>

9
docs/en-US/ip-forwarding-firewalling.xml
View File

@ -20,15 +20,16 @@
-->
<section id="ip-forwarding-firewalling">
<title>IP Forwarding and Firewalling</title>
<para>By default, all incoming traffic to the public IP address is rejected.
All outgoing traffic from the guests is also blocked by default.</para>
<para>To allow outgoing traffic, follow the procedure in <xref linkend="egress-firewall-rule"/>.</para>
<para>By default, all incoming traffic to the public IP address is rejected. All outgoing traffic
from the guests is also blocked by default.</para>
<para>To allow outgoing traffic, follow the procedure in <xref linkend="egress-firewall-rule"
/>.</para>
<para>To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For
example, you can use a firewall rule to open a range of ports on the public IP address, such as
33 through 44. Then use port forwarding rules to direct traffic from individual ports within
that range to specific ports on user VMs. For example, one port forwarding rule could route
incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP.</para>
<xi:include href="egress-firewall-rule.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="firewall-rules.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="egress-firewall-rule.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="port-forwarding.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

10
docs/en-US/vnmc-cisco.xml
View File

@ -107,11 +107,11 @@
<title>Guidelines</title>
<para>When a guest network is created with Cisco VNMC firewall provider, an additional public
IP is acquired along with the Source NAT IP. The Source NAT IP is used for the ASA outside
interface, whereas the addition IP is used to workaround an ASA limitation. Ensure that this
additional public IP is not released. You can identify this IP as soon as the network is in
implemented state and before acquiring any further public IPs. The additional IP is the one
that is not marked as Source NAT. You can find the IP used for the ASA outside interface by
looking at the Cisco VNMC used in your guest network.</para>
interface, whereas the additional IP is used to workaround an ASA limitation. Ensure that
this additional public IP is not released. You can identify this IP as soon as the network
is in implemented state and before acquiring any further public IPs. The additional IP is
the one that is not marked as Source NAT. You can find the IP used for the ASA outside
interface by looking at the Cisco VNMC used in your guest network.</para>
</section>
<section id="how-to-asa">
<title>Using Cisco ASA 1000v Services</title>