← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #55676

[Bug 1618117] [NEW] fwaas: icmp traffic blocked on adding tcp deny (ssh) rule

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When tcp deny rules are added to a firewall or no rules are there in
firewall policy, icmp traffic is block until icmp allow rule is added to
firewall

Steps:
1. Boot two VM in different network and router associated to both the VMs subnet.
2. Add security group rule for ssh and ping.
3. Make sure SSH and ping works from one VM to another.
4. Add tcp deny (ssh) or tcp deny (http) or no firewall rule.
5. Try to ssh it fails worked as expected since firewall rule for deny tcp is added.
6. Try to ping the VMs it also fails
Actual : Ping (icmp) traffic get denied by adding tcp deny rule.
Expected : Only ssh should be blocked not the icmp.

ICMP traffic is allowed only when ICMP allow rule is added to the
firewall, is this expected behaviour..?

** Affects: neutron
     Importance: Undecided
         Status: New

** Summary changed:

- icmp traffic blocked on adding tcp deny (ssh) rule
+ fwaas: icmp traffic blocked on adding tcp deny (ssh) rule

** Project changed: python-neutronclient => neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1618117

Title:
  fwaas: icmp traffic blocked on adding tcp deny (ssh) rule

Status in neutron:
  New

Bug description:
  When tcp deny rules are added to a firewall or no rules are there in
  firewall policy, icmp traffic is block until icmp allow rule is added
  to firewall

  Steps:
  1. Boot two VM in different network and router associated to both the VMs subnet.
  2. Add security group rule for ssh and ping.
  3. Make sure SSH and ping works from one VM to another.
  4. Add tcp deny (ssh) or tcp deny (http) or no firewall rule.
  5. Try to ssh it fails worked as expected since firewall rule for deny tcp is added.
  6. Try to ping the VMs it also fails
  Actual : Ping (icmp) traffic get denied by adding tcp deny rule.
  Expected : Only ssh should be blocked not the icmp.

  ICMP traffic is allowed only when ICMP allow rule is added to the
  firewall, is this expected behaviour..?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1618117/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next