Product SiteDocumentation Site

13.14. Encaminhamento de IP e firewall

By default, all incoming traffic to the public IP address is rejected. All outgoing traffic from the guests is also blocked by default.
To allow outgoing traffic, follow the procedure in Seção 13.14.1, “Creating Egress Firewall Rules in an Advanced Zone”.
To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For example, you can use a firewall rule to open a range of ports on the public IP address, such as 33 through 44. Then use port forwarding rules to direct traffic from individual ports within that range to specific ports on user VMs. For example, one port forwarding rule could route incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP. For more information, see Seção 13.14.2, “Regras de firewall” and Seção 13.14.3, “Encaminhamento de Porta”.

13.14.1. Creating Egress Firewall Rules in an Advanced Zone

Nota

The egress firewall rules are supported only on virtual routers.
The egress traffic originates from a private network to a public network, such as the Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed from a guest network to the Internet. However, you can control the egress traffic in an Advanced zone by creating egress firewall rules. When an egress firewall rule is applied, the traffic specific to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy, Block, is applied.
Consider the following scenarios to apply egress firewall rules:
  • Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest network CIDR.
  • Allow the egress traffic with destination protocol TCP,UDP,ICMP, or ALL.
  • Allow the egress traffic with destination protocol and port range. The port range is specified for TCP, UDP or for ICMP type and code.
To configure an egress firewall rule:
  1. Faça login na interface de usuário do CloudStack como administrador ou usuário final.
  2. Na barra de navegação à esquerda, selecione Network.
  3. In Select view, choose Guest networks, then click the Guest network you want.
  4. To add an egress rule, click the Egress rules tab and fill out the following fields to specify what type of traffic is allowed to be sent out of VM instances in this guest network:
    egress-firewall-rule.png: adding an egress firewall rule
    • CIDR: (Add by CIDR only) To send traffic only to the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.
    • Protocol: The networking protocol that VMs uses to send outgoing traffic. The TCP and UDP protocols are typically used for data exchange and end-user communications. The ICMP protocol is typically used to send error messages or network monitoring data.
    • Start Port, End Port: (TCP, UDP only) A range of listening ports that are the destination for the outgoing traffic. If you are opening a single port, use the same number in both fields.
    • ICMP Type, ICMP Code: (ICMP only) The type of message and error code that are sent.
  5. Clique em Add.

13.14.2. Regras de firewall

Por default, todo o tráfego entrante no endereço IP público é rejeitado pelo firewall. Para permitir tráfego externo, você pode abrir portas no firewall especificando regras de firewall. Opcionalmente, você pode especificar um ou mais CIDRs para filtrar os IPs de origem. Isto é útil quando você deseja permitir tráfego entrante somente de certos endereços IP.
Você não pode usar regras de firewall para abrir portas para um endereço IP elástico. Quando um IP elástico é usado, acesso externo é controlado pelo uso de grupos de segurança. Veja Seção 13.7.2, “Adicionando um grupo de segurança”.
In an advanced zone, you can also create egress firewall rules by using the virtual router. For more information, see Seção 13.14.1, “Creating Egress Firewall Rules in an Advanced Zone”.
Regras de firewall podem ser criadas usando a aba Firewall no interface de usuário do Servidor de gerenciamento. Por default, esta aba não é apresentada quando o CloudStack é instalado. Para exibir a aba Firewall, o administrador do CloudStack deve configurar o parâmetro global firewall.rule.ui.enabled como "true."
Para criar uma regra de firewall:
  1. Faça login na interface de usuário do CloudStack como administrador ou usuário final.
  2. Na barra de navegação à esquerda, selecione Network.
  3. Clique no nome da rede com a qual você quer trabalhar.
  4. Clique em View IP Addresses.
  5. Clique no endereço IP com o qual você deseja trabalhar.
  6. Clique na aba Configuration e preencha os seguintes valores.
    • Source CIDR. (Opcional) Para aceitar tráfego somente de endereços IP em um bloco de endereços específico, informe um CIDR ou uma lista de CIDRs separados por vírgulas.. Exemplo: 192.168.0.0/22. Deixe vazio para permitir todos os CIDRs.
    • Protocol. O protocolo de comunicação em uso na(s) porta(s) aberta(s).
    • Start Port e End Port. A(s) porta(s) que você deseja abrir no firewall. Se você está abrindo um única porta, use o mesmo número em ambos os campos
    • ICMP Type e ICMP Code. Usados somete se Protocol é configurado como ICMP. Proveem o tipo e o código requeridos pelo protocolo ICMP para preencher o cabeçalho ICMP. Consulte a documentação do ICMP para mais detalhes se você não tem certeza do que informar
  7. Clique em Add.

13.14.3. Encaminhamento de Porta

A port forward service is a set of port forwarding rules that define a policy. A port forward service is then applied to one or more guest VMs. The guest VM then has its inbound network access managed according to the policy defined by the port forwarding service. You can optionally specify one or more CIDRs to filter the source IPs. This is useful when you want to allow only incoming requests from certain IP addresses to be forwarded.
A guest VM can be in any number of port forward services. Port forward services can be defined but have no members. If a guest VM is part of more than one network, port forwarding rules will function only if they are defined on the default network
You cannot use port forwarding to open ports for an elastic IP address. When elastic IP is used, outside access is instead controlled through the use of security groups. See Security Groups.
To set up port forwarding:
  1. Faça login na interface de usuário do CloudStack como administrador ou usuário final.
  2. If you have not already done so, add a public IP address range to a zone in CloudStack. See Adding a Zone and Pod in the Installation Guide.
  3. Add one or more VM instances to CloudStack.
  4. In the left navigation bar, click Network.
  5. Click the name of the guest network where the VMs are running.
  6. Choose an existing IP address or acquire a new IP address. See Seção 13.11, “Obtendo um novo endereço IP”. Click the name of the IP address in the list.
  7. Click the Configuration tab.
  8. No nó Port Forwarding do diagrama, clique em View All.
  9. Fill in the following:
    • Public Port. The port to which public traffic will be addressed on the IP address you acquired in the previous step.
    • Private Port. The port on which the instance is listening for forwarded public traffic.
    • Protocol. The communication protocol in use between the two ports
  10. Clique em Add.