CloudStack: Firewall

Links to great tutorials and original contributions.
Don't know how to setup your VPN ? How to install a panel ? How to tweak yout VPS ? Check here and ask if you don't find what you are looking for.
Post Reply
Admin
Site Admin
Posts: 490
Joined: Wed Jul 25, 2012 10:54 pm

CloudStack: Firewall

Post by Admin » Wed Jul 10, 2013 3:00 am

Hello !

As you probably found out, the default security group does not allow any connections from outside to your VM, IPv4 TCP/UDP/ICMP connections are totally blocked.
This is intended, if you wish to provide a specific service to the internet, you will need to open the port(s) for the service. It saves us from some types of attacks, such as DNS amplification DDoS when careless admins leave the dns open and in some cases even recursive, many times it is not even needed or used.
But I digress.
In order to open a specific port, you need to go to Network and select as view Security Groups:
Image
As you can see, there is the Default security group there already.
Let's look at what it does for incoming connections (click on default and selected "Ingress Rule" tab):
Image
This allows access to port 22 TCP from all over the internet as uncle added the rule before, but is disabled by default, everything is blocked.
Let's add another rule, say, we wish to run a web server and want to allow HTTP and HTTPS traffic, that being TCP ports 80 and 443.
We will add the rules like this:
Image
Click the add button and repeat with port 443 instead of 80.
The end result is this:
Image

If you wish your changes to be valid for all VMs in the account, you can do this in the account view by selecting the account radio button.
The same applies to UDP and ICMP.
In order to allow all incoming traffic, just put the start port 1 and end port 65535 on TCP and UDP. ICMP is portless, therefore you need to add only the CIDR address to allow from the whole internet (0.0.0.0/0).
You can also fine tune this in order to allow only one IP, such as 123.123.123.123/32 presuming the ip is 123.123.123.123 or the whole class c, presuming you have IPs in that range (123.123.123.1-123.123.123.254 which translates to 123.123.123.0/24).

Example:
I am running a billing panel on a server some place and wish to allow it to access the solusvm master that i run on a VM in the cloud with Prometeus/Iperweb and deny access to everyone else. Let's suppose the IP where I run the billing panel is 1.2.3.4 and port for solusvm is 5656 (for SSL as it should be used by any sane host) So, I am adding the rule for TCP traffic, port starting at 5656 and ending at 5656 and as CIDR I add the billing panel IP which is 1.2.3.4 and the netmask for only one IP which is 32, so we have:
Image
I strongly advise everyone not to open all ports by default unless they know how to stop all redundant services or not to installt hem at all. Our templates are minimalistic running only port 22 ssh, however, many applications install by default services which are not needed and this increases the risk for 0 days exploits, even if you keep them updated daily. Instead, consult your application documentation and open only the ports needed for it to function. If you know what you are doing, and I suppose most our customers do, go ahead :) Our regular VPSes have all ports open by default, this only eliminates the need for running a firewall in mostt cases, it is not put there to limit you in any way shape or form.
We may offer another security model with all ports open.

Note: IPv6 is still wide open, you will have to use the VMs firewall to filter IPv6 if you choose to enable it and need to offer services over IPv6.

zsero
Posts: 8
Joined: Mon Jan 07, 2013 5:00 pm

Re: CloudStack: Firewall

Post by zsero » Wed Jul 10, 2013 3:49 pm

I recommend having the following ports open by default:
1. ICMP ping
2. TCP: 22, 80, 443
3. everything else closed

rizko
Posts: 9
Joined: Sun Aug 12, 2012 11:38 pm

Re: CloudStack: Firewall

Post by rizko » Wed Jul 10, 2013 10:53 pm

How about ICMP setting. What should I put in "ICMP Type" and "ICMP Code".?

Thanks
Kurnia

Admin
Site Admin
Posts: 490
Joined: Wed Jul 25, 2012 10:54 pm

Re: CloudStack: Firewall

Post by Admin » Thu Jul 11, 2013 4:09 am

Hello !

Ports open by default:
I am not sure, I think we either open all or none. In the end maybe we add a few security groups, one with all closed (default), one with some open and one with all open.

ICMP: ICMP is portless, you can open various types of ICMP (for example, ping), or all.
There are tables with ICMP types and codes, but I presume you do not run complex routing applications so, open only ping.

vanarp
Posts: 2
Joined: Sat Nov 24, 2012 8:18 pm

Re: CloudStack: Firewall

Post by vanarp » Thu Jul 11, 2013 7:22 am

I am not able to ping my instance while I am able to SSH using a non-standard port. My Ingress rules look like below (masked ssh port). Please help me.

Image

Admin
Site Admin
Posts: 490
Joined: Wed Jul 25, 2012 10:54 pm

Re: CloudStack: Firewall

Post by Admin » Thu Jul 11, 2013 8:56 am

Hello !

That doesnt say much, since the ICMP rules do not display the codes and types for ICMP.
Here is a list of types and codes for ICMP:
http://www.nthelp.com/icmp.html

I managed to allow incoming ping with ICMP type 8 and code 0.

rizko
Posts: 9
Joined: Sun Aug 12, 2012 11:38 pm

Re: CloudStack: Firewall

Post by rizko » Thu Jul 11, 2013 10:04 am

I think one security groups with all port closed is enough :)

Thank you

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests