So i was so pleased to see that vsphere 5.5 would support acl's on dvs.
Then i started implementing it.
so i got a portgroup with 2 vms in it:
they have the following ip: x.x.x.236 and x.x.x.237
I created the following rule:
action: drop
traffic direction: egress
protocol is icmp
source ip address any
destination is no x.x.x.254
now i ping 2 ip's (x.x.x.1 and x.x.x.254) from both vm's. Only the .254 works (ofcourse.)
But then i create the next rule:
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
after applying, i cant ping the .254 anymore?
what am i doing wrong?
regards
I haven't played with dvSwitch ACLs myself yet, but this seems pretty self-explanatory if you ever had to do with firewalling rules. Packets are matched against the rule base in order until the first rule applies.
If you only have the first rule, it does not apply to pinging .254. So the implicit default rule is used to decide what to do. In this case with ACLs it's a default "allow any" rule and the packet is forwarded.
Now if you implement the 2nd rule, which denies any traffic, it will also drop what was previously allowed by the implicit "allow any" rule because this rule is checked before the implicit rule. Obviously you won't be able to communicate via ICMP pings (or any other traffic) anymore because this rule drops everything.
What you need is an explicit rule allowing pings to .254, that comes before the drop all rule in your rule base. Change the first rule to "allow" and the destination to .254 (without negation).
we are talking about non statefull rules, so firewall rules have nothing to do with it.
What im used to with ACL's on switch level (this is what vmware is trying to do) it will stop processing rules when it hits a rule "says" something about the rule.
So if i allow ICMP and what to disallow everything else i first create a rule which allows icmp and blocks everything else.
With some switch brands you dont even have to create a drop all rule. It will drop everything when there is no matching rule.
HansdeJongh wrote:
But then i create the next rule:
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
after applying, i cant ping the .254 anymore?
what am i doing wrong?
Your first rule is a drop rule. And then this rule is also a drop rule. You have not created any allow rules.
The rule you describe is designed to drop all traffic. It is literally "Drop all egress traffic of any protocol, from any source, to any destination." It is working as intended.
Typically you create drop rules for what you wish to block, and then follow up with a "permit any any" type of rule.
it is not working as intended. Vmware support already concluded that and filled a PR.
With acl's you create an allow rule, with some switching brands everything else is dropped without creating a drop rule. But with some you still have to create a drop all rule.
Perhaps you copied your rules down incorrectly when you shared them? Because you stated that you created this rule:
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
If you read that rule, it literally says "drop all traffic" - and then your traffic is dropped. How is this not working as intended?
your overlooking the "no" part in the first drop rule.
but lets put it differently.
What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.
What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.
You'd just need a permit statement for that traffic prior to a matching drop rule.
Do a logical walkthrough:
Rule 1 =
action: drop
traffic direction: egress
protocol is icmp
source ip address any
destination is no x.x.x.254
This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 does not match this rule. The ACL moves on to the next rule.
Rule 2 =
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 DOES match this rule. The packet is droped.
Instead, make sure Rule 1 is a permit that allows traffic matching your x.x.x.254 traffic. The ACL will match the rule to the traffic and permit it and stop looking at the rules, even if there is a drop rule further down the list.
Do a logical walkthrough:
Rule 1 =
action: drop
traffic direction: egress
protocol is icmp
source ip address any
destination is no x.x.x.254
first action: drop
direction = egress
protocol = icmp
source ip = any
destination is everything EXCEPT x.x.x.254
so this rule drops ALL icmp EXCEPT to x.x.x.254
so this rule drops ALL icmp EXCEPT to x.x.x.254
Correct. The ICMP packet is then dropped because of Rule 2. If you want to allow only ICMP to x.x.x.254, the rules would look like this:
Rule 1
action: permit
traffic direction: egress
protocol is icmp
source ip address any
destination is x.x.x.254
Rule 2
action: drop
tarffic direction: egress
protocol is any
source ip is any
destination ip is any
I also add a simalr problem.
x.x.x.x to x.x.x.x drop
and then x.x.x.x to any or to x.x.x.y/24 there was java problem.