Comment 7 for bug 1978497
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: [Bug 1978497] Re: Firewall groups are not ordered on port associations | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
On 2022-06-20 13:29:33 -0000 (-0000), Anthony wrote:
[...]
> This works with security groups on VM ports because there are no
> "deny" actions. When we have "deny" actions in firewall policies,
> and there are multiple policies applied to a port, if one policy
> allows the traffic and another policy denies the traffic, there is
> a conflict. It now becomes random whether or not that traffic will
> be allowed or denied.
[...]
Agreed. I'm arguing that, per the spec, that traffic should always
be allowed because at least one firewall rule group allows it. The
fact that it's sometimes denied by a deny rule in one of the groups
seems like the actual bug here, but I can see how that inconsistency
could lead a user to assume the blocking was intentional behavior
and then start relying on it.
And yes, with my security administrator hat on, I agree that even
ignoring this particular inconsistency, it's a confusing design to
not have deterministic ordering from the application of multiple
rulesets. As far as determining whether there's a security
vulnerability in the software, however (and whether it's severe
enough to warrant continued discussion in secret), we need to
consider the behavior the software is intended to have rather than
the behavior users might want it to have.
--
Jeremy Stanley