1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
|
# OpenStack firewall setup for baserock.org
#
# This rather ugly and verbose Ansible script defines the firewall
# configuration for the baserock.org cloud.
#
# OpenStack security group rules are all ACCEPT rules, and an instance
# can be in multiple security groups.
#
# Note that many systems don't have a floating IP assigned and thus are
# isolated from the internet. Requests to them are proxied by the
# frontend-haproxy system.
#
# This playbook requires the 'neutron_sec_group' module, available in
# <https://github.com/openstack-ansible/openstack-ansible-modules/>.
- hosts: localhost
tasks:
- name: default security group
neutron_sec_group:
name: default
description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
- direction: egress
port_range_min: 0
port_range_max: 255
ethertype: IPv4
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
- direction: egress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- direction: egress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: udp
remote_ip_prefix: 0.0.0.0/0
# ICMP: allow ping!
- direction: ingress
port_range_min: 0
port_range_max: 255
ethertype: IPv4
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
# 22: Allow SSH access to all instances.
- direction: ingress
port_range_min: 22
port_range_max: 22
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: open security group
neutron_sec_group:
name: open
description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!!
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
- direction: ingress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- direction: ingress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: udp
remote_ip_prefix: 0.0.0.0/0
- name: database-mysql security group
neutron_sec_group:
name: database-mysql
description: Allow internal machines to access MariaDB database.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 3306: MariaDB
- direction: ingress
port_range_min: 3306
port_range_max: 3306
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group
neutron_sec_group:
name: gerrit
description: Allow access to Gerrit SSH daemon port 29418, plus HTTP, HTTPS and Git protocol.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 80: HTTP, for browsing repos with cgit, and Git-over-HTTP.
- direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 443: HTTPS, for browsing repos with cgit, and Git-over-HTTPS.
- direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 8080: HTTP, for Gerrit web frontend
- direction: ingress
port_range_min: 8080
port_range_max: 8080
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 9418: Git.
- direction: ingress
port_range_min: 9418
port_range_max: 9418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 29418: Gerrit SSH daemon.
- direction: ingress
port_range_min: 29418
port_range_max: 29418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group
neutron_sec_group:
name: git-server
description: Allow inbound SSH, HTTP, HTTPS and Git.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 22: SSH, for Git-over-SSH access.
- direction: ingress
port_range_min: 22
port_range_max: 22
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 80: HTTP, for browsing repos with cgit, and Git-over-HTTP.
- direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 443: HTTPS, for browsing repos with cgit, and Git-over-HTTPS.
- direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 9418: Git.
- direction: ingress
port_range_min: 9418
port_range_max: 9418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: internal mail relay security group
neutron_sec_group:
name: internal-mail-relay
description: Allow receiving internal-only connections on port 25 for SMTP
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 25: SMTP, for sending emails.
- direction: ingress
port_range_min: 25
port_range_max: 25
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 192.168.222.0/24
- name: Mason x86 security group
neutron_sec_group:
name: mason-x86
description: Allow inbound HTTP and HTTPS, and cache server fetches from port 8080.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 80: HTTP
- direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 443: HTTPS
- direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 8080: morph-cache-server server port. The x86 Masons use
# cache.baserock.org as the cache server for their distbuild
# networks. So cache.baserock.org needs to be able to connect to
# them on this port to fetch artifacts.
- direction: ingress
port_range_min: 8080
port_range_max: 8080
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 185.43.218.0/0
# It'd be nice to limit access by security group, but it doesn't
# seem to actually work. Perhaps because we use external IP to
# access instead of internal IP.
#remote_group_id: "{{ default_group.sec_group.id }}"
- name: shared-artifact-cache security group
neutron_sec_group:
name: shared-artifact-cache
description: Allow inbound HTTP, HTTPS and read-only Morph artifact cache access. Allow writable Morph artifact cache access from internal IPs.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 80: HTTP for cache server web frontend (at the time of writing, this
# is a useless and empty cgit page, but we may improve it in future).
- direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 443: HTTPS.
- direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 8080: Read-only Morph artifact cache server.
- direction: ingress
port_range_min: 8080
port_range_max: 8080
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 8081: 'writable cache server' port. Anyone who can connect
# to this port can delete or overwrite cached artifacts.
#
# FIXME: because the Masons use cache.baserock.org instead of
# 192.168.0.16 to access the shared artifact cache, we need to
# permit traffic from our public IP range. This provides a
# theoritical attack vector from other tenancies, so we should
# fix the Masons and remove this rule.
- direction: ingress
port_range_min: 8081
port_range_max: 8081
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 185.43.218.0/0
# It'd be nice to limit access by security group, but it doesn't
# seem to actually work. Perhaps because we use external IP to
# access instead of internal IP.
#remote_group_id: "{{ default_group.sec_group.id }}"
- name: web-server security group
neutron_sec_group:
name: web-server
description: Allow inbound HTTP and HTTPS.
state: present
auth_url: "{{ ansible_env.OS_AUTH_URL }}"
login_username: "{{ ansible_env.OS_USERNAME }}"
login_password: "{{ ansible_env.OS_PASSWORD }}"
login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}"
rules:
# 80: HTTP
- direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# 443: HTTPS
- direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
|
