pf_open_firewall should not be combined/related with pf_trusted_networks
bheuvel opened this issue · 0 comments
Problem:
pf_open_firewall directly maps to cloudstack (ACS) portforwarding rules (where cloudstack will generated the required firewall rules, open to 0.0.0.0/0).
Currently if pf_trusted_networks is specified, the ACS feature is negated for the portforwarding rule, but only for the Communicator forwards.
If additional portforwards are specified, they WILL be automatically opened to 0.0...
As it should be:
pf_open_firewall (restore) maps to the ACS feature on portforwards.
If pf_trusted_networks is specified (and pf_open_firewall is false), the plugin will generate a firewall rule for each portforward.
In docs it should be clear that pf_open_firewall relates directly to the ACS feature, and pf_trusted_networks (also) automatically opens the firewall to specified networks, but only if the ACS feature is not used (as that rule allows all networks)