From 9d77cafc838bf29ed125cce988b055329e41ed57 Mon Sep 17 00:00:00 2001 From: "Christopher M. Neill" Date: Mon, 29 Feb 2016 17:28:20 -0800 Subject: [PATCH 1/4] first pass, elimitate unnecessary port exposure --- ansible/roles/ec2/sg_configure/tasks/main.yml | 72 ------------------- 1 file changed, 72 deletions(-) diff --git a/ansible/roles/ec2/sg_configure/tasks/main.yml b/ansible/roles/ec2/sg_configure/tasks/main.yml index b7399adc..67db7ec0 100644 --- a/ansible/roles/ec2/sg_configure/tasks/main.yml +++ b/ansible/roles/ec2/sg_configure/tasks/main.yml @@ -117,14 +117,6 @@ from_port: 22 to_port: 22 group_id: "{{ sg_bastion }}" - - proto: udp - from_port: 53 - to_port: 53 - group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 53 - to_port: 53 - group_id: "{{ sg_dock }}" - proto: tcp from_port: 3100 to_port: 3100 @@ -161,34 +153,14 @@ from_port: 6783 to_port: 6783 group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 8200 - to_port: 8200 - group_id: "{{ sg_dock }}" - proto: tcp from_port: 32768 to_port: 65535 group_id: "{{ sg_api }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_hipache }}" - proto: tcp from_port: 32768 to_port: 65535 group_id: "{{ sg_navi }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_redis }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_services }}" - name: Hipache SG tags: @@ -237,26 +209,6 @@ from_port: 32768 to_port: 65535 group_id: "{{ sg_api }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_hipache }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_redis }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_services }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_web }}" - name: MongoDB SG tags: @@ -289,10 +241,6 @@ from_port: 27000 to_port: 27020 group_id: "{{ sg_services }}" - - proto: tcp - from_port: 27000 - to_port: 27020 - group_id: "{{ sg_dock }}" - name: Navi SG tags: @@ -569,18 +517,6 @@ from_port: 27000 to_port: 27020 group_id: "{{ sg_services }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_hipache }}" - - proto: tcp - from_port: 32768 - to_port: 63353 - group_id: "{{ sg_services }}" - name: Userland Hipache tags: @@ -685,11 +621,3 @@ from_port: 8500 to_port: 8500 group_id: "{{ sg_web }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_api }}" - - proto: tcp - from_port: 32768 - to_port: 65535 - group_id: "{{ sg_hipache }}" From 2ff470714a8f00235d10fe8f1eb53ad71593642c Mon Sep 17 00:00:00 2001 From: "Christopher M. Neill" Date: Fri, 4 Mar 2016 12:53:28 -0800 Subject: [PATCH 2/4] re-add DNS --- ansible/roles/ec2/sg_configure/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/roles/ec2/sg_configure/tasks/main.yml b/ansible/roles/ec2/sg_configure/tasks/main.yml index 67db7ec0..43f6c147 100644 --- a/ansible/roles/ec2/sg_configure/tasks/main.yml +++ b/ansible/roles/ec2/sg_configure/tasks/main.yml @@ -117,6 +117,14 @@ from_port: 22 to_port: 22 group_id: "{{ sg_bastion }}" + - proto: udp + from_port: 53 + to_port: 53 + group_id: "{{ sg_dock }}" + - proto: tcp + from_port: 53 + to_port: 53 + group_id: "{{ sg_dock }}" - proto: tcp from_port: 3100 to_port: 3100 From 3ed5736b7048bde30d8869cc8d6254d67d0fa98f Mon Sep 17 00:00:00 2001 From: "Christopher M. Neill" Date: Fri, 4 Mar 2016 13:15:10 -0800 Subject: [PATCH 3/4] hipache->services docker ports --- ansible/roles/ec2/sg_configure/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/ec2/sg_configure/tasks/main.yml b/ansible/roles/ec2/sg_configure/tasks/main.yml index 43f6c147..cc5301db 100644 --- a/ansible/roles/ec2/sg_configure/tasks/main.yml +++ b/ansible/roles/ec2/sg_configure/tasks/main.yml @@ -525,6 +525,10 @@ from_port: 27000 to_port: 27020 group_id: "{{ sg_services }}" + - proto: tcp + from_port: 32768 + to_port: 65535 + group_id: "{{ sg_hipache }}" - name: Userland Hipache tags: From 2e71548d57dc6b7e230e35a9e09447fae616c5e6 Mon Sep 17 00:00:00 2001 From: "Christopher M. Neill" Date: Fri, 4 Mar 2016 13:53:45 -0800 Subject: [PATCH 4/4] DNS ports back out --- ansible/roles/ec2/sg_configure/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/ansible/roles/ec2/sg_configure/tasks/main.yml b/ansible/roles/ec2/sg_configure/tasks/main.yml index cc5301db..16ef2407 100644 --- a/ansible/roles/ec2/sg_configure/tasks/main.yml +++ b/ansible/roles/ec2/sg_configure/tasks/main.yml @@ -117,14 +117,6 @@ from_port: 22 to_port: 22 group_id: "{{ sg_bastion }}" - - proto: udp - from_port: 53 - to_port: 53 - group_id: "{{ sg_dock }}" - - proto: tcp - from_port: 53 - to_port: 53 - group_id: "{{ sg_dock }}" - proto: tcp from_port: 3100 to_port: 3100