Modifying Firewall rules to provide Internet Access to T0/T1 #2327
Conversation
There was a problem hiding this comment.
I can deploy an SRE, but can't actually connect to anything. At the moment, literally only traffic from workspaces is allowed. None of the container services can connect to the internet, so a user can't get to the remote desktop gateway, for example I misdescribed that a bit. Guacamole can't talk to the microsoft Auth servers over the internet, so it can't properly log you in.
|
Have tested a fresh deployment with internet access enabled, and can confirm it works! |
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
cptanalatriste
changed the title
|
I don't think I like adding
What does everyone else think? |
JimMadge
force-pushed
the
2283-internet-access-tier0-tier1
branch
from
94a5682 to
a7f9275
Compare
| filename="${filename%.*}" | ||
| test_config=".github/resources/$filename.config.json" | ||
|
|
||
| if [ -e "$test_config" ]; then |
There was a problem hiding this comment.
Would it be better to do this for all mustache files we want to expand? It's nicer than the hack of replacing all the mustache markers with array or variable that's used in the other if branch?
| network.AzureFirewallApplicationRuleCollectionArgs( | ||
| action=network.AzureFirewallRCActionArgs( | ||
| type=network.AzureFirewallRCActionType.ALLOW | ||
| application_rule_collections_common = [ |
There was a problem hiding this comment.
Can we confirm that these rules are identical to the previous rules except where deliberately changed? This sounds difficult. One way to convince ourselves could be to make a separate PR from develop that just makes the change of putting the rules into the application_rule_collections_common list without changing the rules themselves. It would then be easier to see what changes are being made here.
|
|
||
| if props.allow_workspace_internet: | ||
| application_rule_collections = application_rule_collections_common | ||
| network_rule_collections = [ |
There was a problem hiding this comment.
Can you add a comment explaining why this needs to be a network rule not an application rule? I think possibly because application rules only apply to HTTP(S) but maybe I'm wrong.
| {{#allow_workspace_internet}} | ||
| user_rules: [] | ||
| {{/allow_workspace_internet}} | ||
| {{^allow_workspace_internet}} | ||
| user_rules: | ||
| # https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#adblock-style-syntax | ||
| - "*.*" | ||
| {{#filter_allow}} | ||
| - "@@||{{.}}" | ||
| {{/filter_allow}} | ||
| {{/allow_workspace_internet}} |
There was a problem hiding this comment.
Would this logic be better as:
user_rules:
# https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#adblock-style-syntax
{{#filter_block}}
- "{{.}}"
{{/filter_block}}
{{#filter_allow}}
- "@@||{{.}}"
{{/filter_allow}}
with the default being: filter_block = ["*.*"], filter_allow = ["some", "urls", "here"] and the allow-all being filter_block = [], filter_allow = ["*.*"]? I'm not totally sure whether this would work - thoughts?
There was a problem hiding this comment.
Alternatively, we generate the @@|| prefixes in the calling script and just have
user_rules:
# https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#adblock-style-syntax
{{#filters}}
- "{{.}}"
{{/filters}}
which might be the simplest/cleanest of all.
| # Mock configuration. | ||
|
|
||
|
|
||
| class DataSafeHavenMocks(pulumi.runtime.Mocks): | ||
| def new_resource(self, args: pulumi.runtime.MockResourceArgs): |
There was a problem hiding this comment.
| # Mock configuration. | |
| class DataSafeHavenMocks(pulumi.runtime.Mocks): | |
| def new_resource(self, args: pulumi.runtime.MockResourceArgs): | |
| class DataSafeHavenMocks(pulumi.runtime.Mocks): | |
| """Configuration for Pulumi mocks""" | |
| def new_resource(self, args: pulumi.runtime.MockResourceArgs): |
✅ Checklist
Enable foobar integrationrather than515 foobar).develop.🚦 Depends on
The proposed approach adds an extra field to the SRE config file (
allow_workspace_internet) and based on its value does the following: 1) Iffalse, business as usual, 2) iftrue, we remove all the firewall's application rules, we add a network rule allowing connections to the internet, and removeuser_rulesDNS server configuration.(@JimMadge After my changes)
allow_workspace_internetconfiguration value in thesresection (default false)allow_workspace_internetis true.🌂 Related issues
Closes #2283
🔬 Tests
(@JimMadge After my changes)
Outbound internet access from workspace when
allow_workspace_internetis trueNo outbound internet access from workspace when
allow_workspace_internetis false