diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-05-12 11:32:25 +0100 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-05-12 13:47:02 +0100 |
commit | ab22c20a82808537c89bbd4e009aae98186e7ade (patch) | |
tree | 708658f995b71a7666244ef3f059d0a03a57ce1b | |
parent | f663d9553a29eed341cc18fc91d4c0aecb7ed109 (diff) | |
download | infrastructure-ab22c20a82808537c89bbd4e009aae98186e7ade.tar.gz |
Add 'internal-only' security group
This can be used instead of 'default' where you want to prevent a system
from connecting to the outside world.
I have switched mason-x86-32.baserock.org and mason-x86-64.baserock.org
to use this security group instead of 'default', so that they will fail
to build anything that tries to fetch source code from places other than
git.baserock.org.
Change-Id: I63cb398bff63ff1e381d4903311a9eb63678ffd8
-rw-r--r-- | firewall.yaml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/firewall.yaml b/firewall.yaml index a8c52843..64c9200c 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -63,6 +63,56 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 + # This group is an alternative to 'default' for machines that should be + # prevented from connecting to the outside world. + - name: internal-only security group + neutron_sec_group: + name: internal-only + description: Allow outgoing connections only to local network, and incoming ICMP and SSH + state: present + auth_url: "{{ ansible_env.OS_AUTH_URL }}" + login_username: "{{ ansible_env.OS_USERNAME }}" + login_password: "{{ ansible_env.OS_PASSWORD }}" + login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" + + rules: + - direction: egress + port_range_min: 0 + port_range_max: 255 + ethertype: IPv4 + protocol: icmp + remote_ip_prefix: 192.168.222.0/24 + + - direction: egress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 192.168.222.0/24 + + - direction: egress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: udp + remote_ip_prefix: 192.168.222.0/24 + + # ICMP: allow ping! + - direction: ingress + port_range_min: 0 + port_range_max: 255 + ethertype: IPv4 + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + + # 22: Allow SSH access to all instances. + - direction: ingress + port_range_min: 22 + port_range_max: 22 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + - name: open security group neutron_sec_group: name: open |