fwaas: icmp traffic blocked on adding tcp deny (ssh) rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
srividyaketharaju |
Bug Description
When tcp deny rules are added to a firewall or no rules are there in firewall policy, icmp traffic is block until icmp allow rule is added to firewall
Steps:
1. Boot two VM in different network and router associated to both the VMs subnet.
2. Add security group rule for ssh and ping.
3. Make sure SSH and ping works from one VM to another.
4. Add tcp deny (ssh) or tcp deny (http) or no firewall rule.
5. Try to ssh it fails worked as expected since firewall rule for deny tcp is added.
6. Try to ping the VMs it also fails
Actual : Ping (icmp) traffic get denied by adding tcp deny rule.
Expected : Only ssh should be blocked not the icmp.
ICMP traffic is allowed only when ICMP allow rule is added to the firewall, is this expected behaviour..?
summary: |
- icmp traffic blocked on adding tcp deny (ssh) rule + fwaas: icmp traffic blocked on adding tcp deny (ssh) rule |
affects: | python-neutronclient → neutron |
Changed in neutron: | |
assignee: | nobody → tamil vanan (tamilhce) |
Changed in neutron: | |
assignee: | tamil vanan (tamilhce) → nobody |
Changed in neutron: | |
assignee: | nobody → srividyaketharaju (srividya) |
I tried to reproduce the bug in mitaka version
steps:
1.launched two vm's(10. 125.155. 3,10.119. 16.3) on two different networks( net1:10. 125.155. 0/24 and net2:10. 119.16. 0/24)
2.created a router with two interfaces for net1 and net2.
3.created security groups with ssh and ICMP(ping) rule and tagged this to vm's.
4.created a firewall with TCP deny firewall rule and added it to the router.
5.from vm1 console tried to ssh/ping to vm2
Analysis:
we have tried with another scenario i.e,TCP allowrule for blocking connection establishment But,it is not getting blocked
We can not block only ssh as we have added TCP deny rule
Both ssh and ping getting blocked