From e344b8b0b63a61a980d48acb64c570113f8216f5 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Thu, 5 Dec 2024 17:08:27 +0000 Subject: [PATCH 1/2] create an allowlist --- terraform/account/network_firewall_rules.rules | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/terraform/account/network_firewall_rules.rules b/terraform/account/network_firewall_rules.rules index 8453b57e03..20f1dcdbe7 100644 --- a/terraform/account/network_firewall_rules.rules +++ b/terraform/account/network_firewall_rules.rules @@ -1 +1,10 @@ -drop tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"evil.com"; startswith; nocase; endswith; msg:"matching TLS denylisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazon.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"api.notifications.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"api.os.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"current.cvd.clamav.net"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:4; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"database.clamav.net"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:5; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"development.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:6; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"integration.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:7; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"oidc.integration.account.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:8; rev:1;) +pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"publicapi.payments.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:9; rev:1;) +drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:10; rev:1;) From 4c50c351a022de481f62331ffc3056ee9ebcfa69 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Fri, 6 Dec 2024 09:22:53 +0000 Subject: [PATCH 2/2] upgrade network module --- terraform/account/region/network.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/account/region/network.tf b/terraform/account/region/network.tf index eb3a0a680a..bf8b63d604 100644 --- a/terraform/account/region/network.tf +++ b/terraform/account/region/network.tf @@ -1,5 +1,5 @@ module "network" { - source = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.8" + source = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.9" cidr = var.network_cidr_block enable_dns_hostnames = true enable_dns_support = true