Merge pull request 'Block outgoing traffic to local networks by default' (#434) from feature/block_outoing_local_traffic into feature/qemu_snapshots

Reviewed-on: #434
2022-10-22 11:50:28 +00:00 · 2022-10-22 11:50:28 +00:00 · 33ae6befaa
parent 61710aa4a4 58e6e7de03
commit 33ae6befaa
1 changed files with 15 additions and 0 deletions
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@ -32,3 +32,18 @@ firewall_rule 'ssh-alt-port' do
  protocol :tcp
  command  :allow
 end
+
+%w{
+  10.0.0.0/8
+  172.16.0.0/12
+  192.168.0.0/16
+  100.64.0.0/10
+}.each do |ip|
+  firewall_rule "unauthorized-private-network-#{ip}" do
+    interface "enp35s0"
+    destination ip
+    direction :out
+    protocol :none
+    command  :deny
+  end
+end