very hard to firewall eucalyptus securely
Bug #412664 reported by
Chris Jones
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| eucalyptus (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Because eucalyptus flushes various netfilter tables on startup and always appends its rules, it's quite hard to construct a sane and simple firewall.
For example, in the default setup, nodes have essentially unfettered access to the local network of the Cloud Controller (I've not verified it, but it seems like they may even be able to adopt the IP of something on the LAN).
Typically I would prefer for explicit ACCEPT rules to be added early in chains, with blanket "and now deny everything else" rules at the end, but doing this on a CLC is impossible currently and I'm having to jump through hoops to correctly restrict the access of node controllers and nodes.
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #1 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
Revision history for this message
| Dustin Kirkland (kirkland) wrote | #3 |
| Changed in eucalyptus (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| Changed in eucalyptus (Ubuntu): | |
| status: | Confirmed → Triaged |
To post a comment you must log in.
I've not looked at this *at all*, but one thought is to have a eucalyptus chain (or chains) that eucalyptus manages. It can add the chain on boot, and then add rules to the chain. Then it can manage the chain however it wants (even flush it). Once added, the chain is never removed from the BUILTIN chain, so then its location can be depended on across reboots and flushes, making firewalling outside of eucalyptus easier.