[openstack-dev] [Neutron]One security issue about floating ip

Miguel Angel Ajo Pelayo mangelajo at redhat.com
Thu Jun 26 16:57:34 UTC 2014


Yes, once a connection has past the nat tables, 
and it's on the kernel connection tracker, it
will keep working even if you remove the nat rule.

Doing that would require manipulating the kernel
connection tracking to kill that connection, 
I'm not familiar with that part of the linux network
stack, not sure if it's possible, but that would be
the perfect way. (kill nat connection on ext ip=float ip int_ip = internal ip)...




----- Original Message -----
> Hi folks,
> 
> After we create an SSH connection to a VM via its floating ip, even though we
> have removed the floating ip association, we can still access the VM via
> that connection. Namely, SSH is not disconnected when the floating ip is not
> valid. Any good solution about this security issue?
> 
> Thanks
> Xurong Yang
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list