cloudstack
cloudstack copied to clipboard
apache
VPC ACL Issue
ISSUE TYPE
- Improvement Request
COMPONENT NAME
VPC
CLOUDSTACK VERSION
Cloudstack 4.18.0.0
CONFIGURATION
VPC Network
OS / ENVIRONMENT
N/A
SUMMARY
I have allowed only port 3389 in the VPC ACL but able to access using other port which is not in allowed list.
STEPS TO REPRODUCE
Here is my scenario.
I have created a VPC then create a new ACL list name my-ACL and added the below rules.
For Egress:
ALL Egress allow
For Ingress:
CIDR: 0.0.0.0/0 Protocol: TCP From Port: 3389 To Port: 3389
Then I created two Windows VMs under this new network. Then I acquire a Public IP address and add the below port forwarding.
For VM1:
Private port: 3389 Public Port: 3389
For VM2:
Private Port: 3389 Public Port: 2812
In my scenario, I need to access only VM1 through RDP using the public IP address using the 3389 port. But, I'm able to access the VM2 with 2812 also.
But in my network ACL, I have allowed only port 3389.
EXPECTED RESULTS
Should access only the VM1 from 3389 port not VM2 from 2812 port.
ACTUAL RESULTS
I was able to access VM2 using 2812 port.
Thanks for opening your first issue here! Be sure to follow the issue template!
![boring-cyborg[bot] avatar](https://avatars.githubusercontent.com/in/50386?v=4 "Published by a pub.dev verified publisher"){kind=small}
@assistanz247 by the current design the network ACL in a VPC is applicable at the tier side hence the public port is not filtered by the ACL. It is allowing the traffic since the private port 3389 is allowed as per the ACL rule. In order to filter the traffic based on the public port we may have to introduce ACL for public interfaces on the VPC in addition to the VPC tier ACLs in use. Another way to handle this specific scenario would be by introducing a destination CIDR field in the ACL item where the destination VM guest IP could be configured.
Currently network ACLs apply on VPC tiers only. it might be a change (API, UI, service layer) to support ACL on public IPs.
as I said on mailing list, Each ACL rule can have only 1 cidr, which is the source cidr for Ingress rules, and destination cidr for Egress rules. I am +1 on adding source and destination CIDRs to Network ACL items.
This is a good improvement request to add source and destination CIDRs to Network ACL items
Hey @assistanz247 I'm working on a PR to add source CIDR on Port Forward for VPCs. Could you please take a look at PR#7081 and verify if the proposed feature covers your use case?
@weizhouapache I will take the time to respond to your requests. For the delay in answering them, I apologize.
Hi Rodrigo,
We have gone through PR#7081 and confirmed that it will resolve our issue in VPC.
Thanks a lot :-)
Regards, Loges https://www.stackbill.com
On Thu, May 18, 2023 at 7:08 PM Rodrigo D. Lopez @.***> wrote:
Hey @assistanz247 https://github.com/assistanz247 I'm working on a PR to add source CIDR on Port Forward for VPCs. Could you please take a look at PR#7081 https://github.com/apache/cloudstack/pull/7081 and verify if the proposed feature covers your use case?
@weizhouapache https://github.com/weizhouapache I will take the time to respond to your requests. For the delay in answering them, I apologize.
— Reply to this email directly, view it on GitHub https://github.com/apache/cloudstack/issues/7483#issuecomment-1553071995, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG2D63UZKCXUVI4CYL35COLXGYQ5VANCNFSM6AAAAAAXQ5L5PY . You are receiving this because you were mentioned.Message ID: @.***>
--
This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions