blob: 5b5b71660728e0540a17f255961c75fe6352357c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
|
# OpenStack firewall setup for baserock.org
#
# This rather ugly and verbose Ansible script defines the firewall
# configuration for the baserock.org cloud.
#
# OpenStack security group rules are all ACCEPT rules, and an instance
# can be in multiple security groups.
#
# Note that many systems don't have a floating IP assigned and thus are
# isolated from the internet. Requests to them are proxied by the
# frontend-haproxy system.
#
# This playbook requires the 'neutron_sec_group' module, available in
# <https://github.com/openstack-ansible/openstack-ansible-modules/>.
- hosts: localhost
gather_facts: false
tasks:
- name: default security group
os_security_group:
name: default
description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections
state: present
- name: default security group - allow outgoing ICMP
os_security_group_rule:
security_group: default
direction: egress
port_range_min: 0
port_range_max: 255
ethertype: IPv4
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
- name: default security group - allow outgoing TCP
os_security_group_rule:
security_group: default
direction: egress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: default security group -- allow outgoing UDP
os_security_group_rule:
security_group: default
direction: egress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: udp
remote_ip_prefix: 0.0.0.0/0
- name: default security group -- allow incoming ICMP
os_security_group_rule:
security_group: default
direction: ingress
port_range_min: 0
port_range_max: 255
ethertype: IPv4
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
- name: default security group -- allow incoming TCP on port 22 for SSH
os_security_group_rule:
security_group: default
direction: ingress
port_range_min: 22
port_range_max: 22
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: open security group
os_security_group:
name: open
description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!!
state: present
- name: open security group -- allow incoming TCP
os_security_group_rule:
security_group: open
direction: ingress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: open security group -- allow incoming UDP
os_security_group_rule:
security_group: open
direction: ingress
port_range_min: 1
port_range_max: 65535
ethertype: IPv4
protocol: udp
remote_ip_prefix: 0.0.0.0/0
- name: database-mysql security group
os_security_group:
name: database-mysql
description: Allow internal machines to access MariaDB database.
state: present
- name: database security group -- allow incoming TCP on port 3306 for MariaDB connections
os_security_group_rule:
security_group: database-mysql
direction: ingress
port_range_min: 3306
port_range_max: 3306
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group
os_security_group:
name: gerrit
description: Allow access to Gerrit SSH daemon port 29418, plus HTTP, HTTPS and Git protocol.
state: present
- name: gerrit security group -- allow incoming TCP on port 80 or cgit and Git-over-HTTP
os_security_group_rule:
security_group: gerrit
direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS
os_security_group_rule:
security_group: gerrit
direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group -- allow incoming TCP on port 8080 for Gerrit web frontend
os_security_group_rule:
security_group: gerrit
direction: ingress
port_range_min: 8080
port_range_max: 8080
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group -- allow incoming TCP on port 9148 for git protocol
os_security_group_rule:
security_group: gerrit
direction: ingress
port_range_min: 9418
port_range_max: 9418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: gerrit security group -- allow incoming TCP on port 29148 for Gerrit SSH daemon
os_security_group_rule:
security_group: gerrit
direction: ingress
port_range_min: 29418
port_range_max: 29418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group
os_security_group:
name: git-server
description: Allow inbound SSH, HTTP, HTTPS, Git, and morph-cache-server requests.
state: present
- name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH
os_security_group_rule:
security_group: git-server
direction: ingress
port_range_min: 22
port_range_max: 22
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP
os_security_group_rule:
security_group: git-server
direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS
os_security_group_rule:
security_group: git-server
direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server protocol
os_security_group_rule:
security_group: git-server
direction: ingress
port_range_min: 8080
port_range_max: 8080
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: git-server security group -- allow incoming TCP on port 9418 for git protocol
os_security_group_rule:
security_group: git-server
direction: ingress
port_range_min: 9418
port_range_max: 9418
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: internal mail relay security group
os_security_group:
name: internal-mail-relay
description: Allow receiving internal-only connections on port 25 for SMTP
state: present
- name: internal mail relay security group -- allow incoming TCP from internal hosts on port 25 for SMTP
os_security_group_rule:
security_group: internal-mail-relay
direction: ingress
port_range_min: 25
port_range_max: 25
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 192.168.222.0/24
- name: shared-artifact-cache security group
os_security_group:
name: shared-artifact-cache
description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)
state: present
- name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP
os_security_group_rule:
security_group: shared-artifact-cache
direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP
os_security_group_rule:
security_group: shared-artifact-cache
direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
# The port number here was chosen arbitrarily.
- name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH
os_security_group_rule:
security_group: shared-artifact-cache
direction: ingress
port_range_min: 22200
port_range_max: 22200
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: web-server security group
os_security_group:
name: web-server
description: Allow inbound HTTP and HTTPS.
state: present
- name: web-server security group -- allow incoming TCP on port 80 for HTTP
os_security_group_rule:
security_group: web-server
direction: ingress
port_range_min: 80
port_range_max: 80
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
- name: web-server security group -- allow incoming TCP on port 443 for HTTPS
os_security_group_rule:
security_group: web-server
direction: ingress
port_range_min: 443
port_range_max: 443
ethertype: IPv4
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
|