[openstack-dev] [Neutron]One security issue about floating ip
Clark, Robert Graham
robert.clark at hp.com
Thu Jun 26 17:27:39 UTC 2014
It¹s kinda ugly, if a user through API/Horizon thinks they¹ve isolated a
host, it should be isolatedŠ
I smell an OSSN here...
On 26/06/2014 17:57, "Miguel Angel Ajo Pelayo" <mangelajo at redhat.com>
wrote:
>Yes, once a connection has past the nat tables,
>and it's on the kernel connection tracker, it
>will keep working even if you remove the nat rule.
>
>Doing that would require manipulating the kernel
>connection tracking to kill that connection,
>I'm not familiar with that part of the linux network
>stack, not sure if it's possible, but that would be
>the perfect way. (kill nat connection on ext ip=float ip int_ip =
>internal ip)...
>
>
>
>
>----- Original Message -----
>> Hi folks,
>>
>> After we create an SSH connection to a VM via its floating ip, even
>>though we
>> have removed the floating ip association, we can still access the VM via
>> that connection. Namely, SSH is not disconnected when the floating ip
>>is not
>> valid. Any good solution about this security issue?
>>
>> Thanks
>> Xurong Yang
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list