-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modified FORWARD policy name to ACCEPT and enabled by default ESTABLISHED #337
modified FORWARD policy name to ACCEPT and enabled by default ESTABLISHED #337
Conversation
Actually we can first configure the rule allowing the ssh traffic before
attaching the firewall to the interface.
…On Tue, Sep 22, 2020 at 7:38 AM Fulvio Risso ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/services/pcn-firewall/datamodel/firewall.yang
<#337 (comment)>
:
> @@ -92,8 +92,8 @@ module firewall {
leaf action {
type action;
polycube-base:init-only-config;
- description "Action if the rule matches. Default is DROP.";
- polycube-base:cli-example "DROP, FORWARD, LOG";
+ description "Action if the rule matches. Default is ACCEPT.";
This was changed recently because of a logistical problem.
Let's assume you deploy a firewall on a remote machine, and the default
action is DROP. What happens, is that as soon as you start the firewall,
you loose the connection to the remote machine.
So, to avoid this problem (very important in real deployments), we changed
the default action to ACCEPT. Obviously, the user can change it to DROP
upon its preferences, hopefully after having properly configured the
ruleset.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#337 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD5DPPH64HABKHAC7CZT43DSHCZEZANCNFSM4RVDUYTQ>
.
|
Accept the 'accept' as default to minimize the impact to deployment |
/rebase |
…SHED Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
Rebase status: success! |
3405df6
to
cb9374d
Compare
d2e2cb0
to
6d64166
Compare
Briefly, before starting the test it has been added the DROP policy both to INGRESS and EGRESS path, in order to make the test run Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
6d64166
to
24a0f8d
Compare
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
/rebase |
Rebase status: success! |
53147c1
to
74a61e7
Compare
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
74a61e7
to
b042e9c
Compare
++++TEST ./../src/services/pcn-firewall/test/ping/test_ping_5.1.sh Failed++++ ++++TEST ./../src/services/pcn-firewall/test/tcp/test_tcp_4.sh Failed++++ @FedeParola Can you help checking these two tests please? This is taking more time than expected |
I may have found the cause of the problem @s41m0n. I still don't understand why the same tests passed formerly... But it is worth giving a try |
Maybe I found out why the tests are passing on the master: original tests use a batch file to carry rules and then pass this file to the polycubectl command, however probably this method doesn't work and no instruction is added at all, leaving only the default (forward) policy. |
The number of rules injected is the same, it hasn't changed. |
I remember to have tested file injection with "polycubectl" with Fulvio and it seemed to work. Anyway, now the rules are correctly inserted, I am able to see them all, and locally the test passes :( |
Yes you are right, I didn't check too accurately, sorry.
Ok then the overflow is probably caused by the DEBUG instructions, try instantiating the firewall with no loglevel (default=INFO) and the problem should be gone. |
Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
@FedeParola thanks, the debug option seemed to alter some test, it worked. |
FIX #331
ENHANCE #334
Tried quickly with docker
s41m0n/polycube:fulvio
, if someone can help testing this and modifying all the tests accordingly would be amazing.Signed-off-by: Simone Magnani simonemagnani.96@gmail.com