Hi All,
Before someone says RTFM, it has been done as well as several threads in this forum. Either I'm missing something or it has not been clearly defined in any of those sources.
So what I would like to clarify is how the different firewall layers (datacenter, node, VM) impact each other (if at all)?
Let me give a couple of examples:
- I configure all drop in the datacenter firewall and only allow traffic in to 8006.
What would this mean for nodes and VMs?
1. Would it mean that traffic coming in directly to a specific node or VM IP would also all be dropped automatically because it was set at datacenter level?
2. What if I then allow traffic to 3128 on a specific node in a cluster but not on the other cluster nodes? Will it actually come through if all drop was already configured for the datacenter? Or would the new node rule automatically override the all drop from the datacenter for that one node?
3. What are the levels of override? Is it VM overrides node, which in turn overrides datacenter? Or do each layer function totally independently so that even if all traffic was dropped at the datacenter level it will not impact any traffic aimed directly at a node IP or a VM IP?
- So assuming the answer to question 3 is VM > node > datacenter:
3.1 If I then create a rule to drop traffic to port 3389 in datacenter, set no explicit rule for that port at node level but create an allow rule for 3389 for the VM... will the VM actually get its 3389 traffic? Or do I not even have to create a specific allow rule for the VM because it will receive all traffic in any case because no explicit drop all was created for it?
Any explanations on the subject would be appreciated greatly
Werner
Before someone says RTFM, it has been done as well as several threads in this forum. Either I'm missing something or it has not been clearly defined in any of those sources.
So what I would like to clarify is how the different firewall layers (datacenter, node, VM) impact each other (if at all)?
Let me give a couple of examples:
- I configure all drop in the datacenter firewall and only allow traffic in to 8006.
What would this mean for nodes and VMs?
1. Would it mean that traffic coming in directly to a specific node or VM IP would also all be dropped automatically because it was set at datacenter level?
2. What if I then allow traffic to 3128 on a specific node in a cluster but not on the other cluster nodes? Will it actually come through if all drop was already configured for the datacenter? Or would the new node rule automatically override the all drop from the datacenter for that one node?
3. What are the levels of override? Is it VM overrides node, which in turn overrides datacenter? Or do each layer function totally independently so that even if all traffic was dropped at the datacenter level it will not impact any traffic aimed directly at a node IP or a VM IP?
- So assuming the answer to question 3 is VM > node > datacenter:
3.1 If I then create a rule to drop traffic to port 3389 in datacenter, set no explicit rule for that port at node level but create an allow rule for 3389 for the VM... will the VM actually get its 3389 traffic? Or do I not even have to create a specific allow rule for the VM because it will receive all traffic in any case because no explicit drop all was created for it?
Any explanations on the subject would be appreciated greatly
Werner
