Add 'internal-only' security group

This can be used instead of 'default' where you want to prevent a system from connecting to the outside world. I have switched mason-x86-32.baserock.org and mason-x86-64.baserock.org to use this security group instead of 'default', so that they will fail to build anything that tries to fetch source code from places other than git.baserock.org. Change-Id: I63cb398bff63ff1e381d4903311a9eb63678ffd8
author: Sam Thursfield <sam.thursfield@codethink.co.uk> 2015-05-12 11:32:25 +0100
committer: Sam Thursfield <sam.thursfield@codethink.co.uk> 2015-05-12 13:47:02 +0100
commit: ab22c20a82808537c89bbd4e009aae98186e7ade (patch)
tree: 708658f995b71a7666244ef3f059d0a03a57ce1b /firewall.yaml
parent: f663d9553a29eed341cc18fc91d4c0aecb7ed109 (diff)
download: infrastructure-ab22c20a82808537c89bbd4e009aae98186e7ade.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/firewall.yaml b/firewall.yaml
index a8c52843..64c9200c 100644
--- a/firewall.yaml
+++ b/firewall.yaml
@@ -63,6 +63,56 @@
             protocol: tcp
             remote_ip_prefix: 0.0.0.0/0
 
+    # This group is an alternative to 'default' for machines that should be
+    # prevented from connecting to the outside world.
+    - name: internal-only security group
+      neutron_sec_group:
+        name: internal-only
+        description: Allow outgoing connections only to local network, and incoming ICMP and SSH
+        state: present
+        auth_url: "{{ ansible_env.OS_AUTH_URL }}"
+        login_username: "{{ ansible_env.OS_USERNAME }}"
+        login_password: "{{ ansible_env.OS_PASSWORD }}"
+        login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
+
+        rules:
+          - direction: egress
+            port_range_min: 0
+            port_range_max: 255
+            ethertype: IPv4
+            protocol: icmp
+            remote_ip_prefix: 192.168.222.0/24
+
+          - direction: egress
+            port_range_min: 1
+            port_range_max: 65535
+            ethertype: IPv4
+            protocol: tcp
+            remote_ip_prefix: 192.168.222.0/24
+
+          - direction: egress
+            port_range_min: 1
+            port_range_max: 65535
+            ethertype: IPv4
+            protocol: udp
+            remote_ip_prefix: 192.168.222.0/24
+
+          # ICMP: allow ping!
+          - direction: ingress
+            port_range_min: 0
+            port_range_max: 255
+            ethertype: IPv4
+            protocol: icmp
+            remote_ip_prefix: 0.0.0.0/0
+
+          # 22: Allow SSH access to all instances.
+          - direction: ingress
+            port_range_min: 22
+            port_range_max: 22
+            ethertype: IPv4
+            protocol: tcp
+            remote_ip_prefix: 0.0.0.0/0
+
     - name: open security group
       neutron_sec_group:
         name: open
author	Sam Thursfield <sam.thursfield@codethink.co.uk>	2015-05-12 11:32:25 +0100
committer	Sam Thursfield <sam.thursfield@codethink.co.uk>	2015-05-12 13:47:02 +0100
commit	ab22c20a82808537c89bbd4e009aae98186e7ade (patch)
tree	708658f995b71a7666244ef3f059d0a03a57ce1b /firewall.yaml
parent	f663d9553a29eed341cc18fc91d4c0aecb7ed109 (diff)
download	infrastructure-ab22c20a82808537c89bbd4e009aae98186e7ade.tar.gz