firewall.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218

# OpenStack firewall setup for baserock.org
#
# This rather ugly and verbose Ansible script defines the firewall
# configuration for the baserock.org cloud.
#
# OpenStack security group rules are all ACCEPT rules, and an instance
# can be in multiple security groups.
#
# Note that many systems don't have a floating IP assigned and thus are
# isolated from the internet. Requests to them are proxied by the
# frontend-haproxy system.
#
# This playbook requires the 'neutron_sec_group' module, available in
# <https://github.com/openstack-ansible/openstack-ansible-modules/>.

- hosts: localhost
  gather_facts: false
  tasks:
    - name: default security group
      os_security_group:
        name: default
        description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections
        state: present

    - name: default security group - allow outgoing ICMP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 0
        port_range_max: 255
        ethertype: IPv4
        protocol: icmp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group - allow outgoing TCP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow outgoing UDP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: udp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow incoming ICMP
      os_security_group_rule:
        security_group: default
        direction: ingress
        port_range_min: 0
        port_range_max: 255
        ethertype: IPv4
        protocol: icmp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow incoming TCP on port 22 for SSH
      os_security_group_rule:
        security_group: default
        direction: ingress
        port_range_min: 22
        port_range_max: 22
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: open security group
      os_security_group:
        name: open
        description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!!
        state: present

    - name: open security group -- allow incoming TCP
      os_security_group_rule:
        security_group: open
        direction: ingress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: open security group -- allow incoming UDP
      os_security_group_rule:
        security_group: open
        direction: ingress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: udp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group
      os_security_group:
        name: git-server
        description: Allow inbound SSH, HTTP, HTTPS and Git requests.
        state: present

    - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 22
        port_range_max: 22
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server tree & SHA1 queries
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 8080
        port_range_max: 8080
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 9418 for git protocol
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 9418
        port_range_max: 9418
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: shared-artifact-cache security group
      os_security_group:
        name: shared-artifact-cache
        description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)
        state: present

    - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    # The port number here was chosen arbitrarily.
    - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 22200
        port_range_max: 22200
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: web-server security group
      os_security_group:
        name: web-server
        description: Allow inbound HTTP and HTTPS.
        state: present

    - name: web-server security group -- allow incoming TCP on port 80 for HTTP
      os_security_group_rule:
        security_group: web-server
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: web-server security group -- allow incoming TCP on port 443 for HTTPS
      os_security_group_rule:
        security_group: web-server
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0