neutron

fwaas: icmp traffic blocked on adding tcp deny (ssh) rule

Bug #1618117 reported by Soumya Kolbhandari on 2016-08-29

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	srividyaketharaju

Bug Description

When tcp deny rules are added to a firewall or no rules are there in firewall policy, icmp traffic is block until icmp allow rule is added to firewall

Steps:
1. Boot two VM in different network and router associated to both the VMs subnet.
2. Add security group rule for ssh and ping.
3. Make sure SSH and ping works from one VM to another.
4. Add tcp deny (ssh) or tcp deny (http) or no firewall rule.
5. Try to ssh it fails worked as expected since firewall rule for deny tcp is added.
6. Try to ping the VMs it also fails
Actual : Ping (icmp) traffic get denied by adding tcp deny rule.
Expected : Only ssh should be blocked not the icmp.

ICMP traffic is allowed only when ICMP allow rule is added to the firewall, is this expected behaviour..?

Soumya Kolbhandari (soumya-kolbhandari) on 2016-08-29

summary:	- icmp traffic blocked on adding tcp deny (ssh) rule + fwaas: icmp traffic blocked on adding tcp deny (ssh) rule
affects:	python-neutronclient → neutron

tamil vanan (tamilhce) on 2016-08-29

Changed in neutron:
assignee:	nobody → tamil vanan (tamilhce)

tamil vanan (tamilhce) on 2016-09-09

Changed in neutron:
assignee:	tamil vanan (tamilhce) → nobody

srividyaketharaju (srividya) on 2017-01-04

Changed in neutron:
assignee:	nobody → srividyaketharaju (srividya)

Revision history for this message

srividyaketharaju (srividya) wrote on 2017-01-11:

I tried to reproduce the bug in mitaka version

steps:

1.launched two vm's(10.125.155.3,10.119.16.3) on two different networks(net1:10.125.155.0/24 and net2:10.119.16.0/24)
2.created a router with two interfaces for net1 and net2.
3.created security groups with ssh and ICMP(ping) rule and tagged this to vm's.
4.created a firewall with TCP deny firewall rule and added it to the router.
5.from vm1 console tried to ssh/ping to vm2

Analysis:

we have tried with another scenario i.e,TCP allowrule for blocking connection establishment But,it is not getting blocked
We can not block only ssh as we have added TCP deny rule
Both ssh and ping getting blocked

Revision history for this message

cheng (tangch318) wrote on 2017-07-03:

firewall like a white list

Revision history for this message

Brian Haley (brian-haley) wrote on 2023-01-13:

Will close as it's quite old, if this is still an issue with the latest code please re-open and provide more information.

Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.