[SUCS Devel] [Git][sucs/sucs][master] 3 commits: Kill public access to vulnerable disused streaming vm

Imran Hussain imranh at sucs.org
Sat Dec 1 19:45:30 GMT 2018


Imran Hussain pushed to branch master at sucs / SUCS


Commits:
fd05a371 by Imran Hussain at 2018-12-01T19:43:07Z
Kill public access to vulnerable disused streaming vm

- - - - -
f25c7f37 by Imran Hussain at 2018-12-01T19:44:05Z
Merge branch 'master' of projects.sucs.org:sucs/sucs

- - - - -
d6bbe887 by Imran Hussain at 2018-12-01T19:45:05Z
Disable proxy as it's broken and needs moving to gw

- - - - -


1 changed file:

- ansible/roles/sucs-firewall/templates/firewall-rules


Changes:

=====================================
ansible/roles/sucs-firewall/templates/firewall-rules
=====================================
@@ -164,7 +164,7 @@ $IPT -A OUTPUT -d 137.44.10.1 -p udp -m udp --dport 1812 -j ACCEPT
 $IPT -A OUTPUT -d 137.44.10.1 -p udp -m udp --dport 1813 -j ACCEPT
 
 #HTTP-Cache to proxy machine
-$IPT -A OUTPUT -d $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
+#$IPT -A OUTPUT -d $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
 
 #NUT (ups monitor to silver)
 $IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 3493 -j ACCEPT
@@ -221,13 +221,13 @@ $IPT -A FORWARD -p ICMP -j ACCEPT
 $IPT -A FORWARD -p udp --dport 33434:33523 -j ACCEPT
 
 #Proxy stuff
-$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_SUCS -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
-$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_GUEST -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
-$IPT -A FORWARD -s $NET_SUCS -d $PROXY_BOX -i $INTERFACE_SUCS -p tcp --dport $PROXY_PORT -j ACCEPT
-$IPT -A FORWARD -s $NET_GUEST -d $PROXY_BOX -i $INTERFACE_GUEST -p tcp --dport $PROXY_PORT -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_SUCS -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
+#$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_GUEST -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
+#$IPT -A FORWARD -s $NET_SUCS -d $PROXY_BOX -i $INTERFACE_SUCS -p tcp --dport $PROXY_PORT -j ACCEPT
+#$IPT -A FORWARD -s $NET_GUEST -d $PROXY_BOX -i $INTERFACE_GUEST -p tcp --dport $PROXY_PORT -j ACCEPT
 
 #HTTP (to Off Campus) from Inside (not via proxy) DROP!
-$IPT -A FORWARD ! -i $INTERFACE_OUTSIDE ! -d $NET_CAMPUS ! -s $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT
+#$IPT -A FORWARD ! -i $INTERFACE_OUTSIDE ! -d $NET_CAMPUS ! -s $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT
 
 #From backup to sucs
 $IPT -A FORWARD -d $NET_SUCS -s $BACKUP -j ACCEPT
@@ -358,10 +358,10 @@ $IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 993 -j
 $IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
 
 #ICP - (to proxy machine) from campus proxy (octopussy.swan.ac.uk)
-$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3128 -j ACCEPT
-$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3130 -j ACCEPT
-$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3130 -j ACCEPT
+#$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
+#$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3128 -j ACCEPT
+#$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3130 -j ACCEPT
+#$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3130 -j ACCEPT
 
 #Jabber (to silver) from anywhere
 $IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
@@ -413,7 +413,7 @@ $IPT -A FORWARD -d 137.44.10.8 -p tcp -m state --state NEW -m tcp --dport 873 -j
 $IPT -A FORWARD -d 137.44.10.8 -p tcp -m tcp --dport 5000:5100 -j ACCEPT
 
 #stream vm
-$IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport 22 -j ACCEPT
+#$IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport 22 -j ACCEPT
 $IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport 80 -j ACCEPT
 $IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport $STREAMING_PORT -j ACCEPT
 $IPT -A FORWARD -d $STREAMING_SERVER -p udp -m udp --dport $STREAMING_PORT -j ACCEPT
@@ -498,7 +498,7 @@ $IPT -t nat -A PREROUTING -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp -
 $IPT -t nat -A PREROUTING -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp --dport 80 -j DNAT --to 137.44.10.63
 
 # Rest of Transparent Proxy
-$IPT -t nat -A PREROUTING ! -i $INTERFACE_OUTSIDE ! -s $PROXY_BOX ! -d $NET_INSIDE -p tcp --dport 80 -m policy --dir in --pol none -j DNAT --to $PROXY_BOX:$PROXY_PORT
+#$IPT -t nat -A PREROUTING ! -i $INTERFACE_OUTSIDE ! -s $PROXY_BOX ! -d $NET_INSIDE -p tcp --dport 80 -m policy --dir in --pol none -j DNAT --to $PROXY_BOX:$PROXY_PORT
 
 #
 # Outright Blocks on what GuestNET can talk to



View it on GitLab: https://projects.sucs.org/sucs/sucs/compare/684a7eb617d3f93fbff8ae5d1b1c2f65fdc2ff13...d6bbe8873c8d96891bea4c45536ab0f0f87803fb

-- 
View it on GitLab: https://projects.sucs.org/sucs/sucs/compare/684a7eb617d3f93fbff8ae5d1b1c2f65fdc2ff13...d6bbe8873c8d96891bea4c45536ab0f0f87803fb
You're receiving this email because of your account on projects.sucs.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sucs.org/pipermail/devel/attachments/20181201/a93fd862/attachment-0001.html>


More information about the Devel mailing list