1187832 – oo-gear-firewall does not block inter gear communication with scaled applications.

Bug 1187832 - oo-gear-firewall does not block inter gear communication with scaled applications.

Summary: oo-gear-firewall does not block inter gear communication with scaled applicat...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	2.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Brenton Leanhardt
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-30 22:28 UTC by Eric Rich
Modified:	2019-05-20 11:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-02 19:02:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 2 Luke Meyer 2015-02-02 13:31:45 UTC

By design, internal ports that are publicly exposed (as :8080 is for a scaled web app) have an exception to allow other gears access; this could not be otherwise under the current port routing scheme and static firewall, as other gears in the same app colocated on the same node may need to access each other, and the external ports are translated into internal IP/port by the DNAT. However, this does not expose anything that isn't already publicly exposed (externally on the node host). It's admittedly surprising but there's no good way around it.

If it were found that non-exposed internal ip:port could also be connected to this way, then this would be a vulnerability. From the description I don't see it. Propose NOTABUG -- unless there is actual exposure?

Note You need to log in before you can comment on or make changes to this bug.