EC2 IPSec security group ports open even when disabled

Question

EC2 IPSec security group ports open even when disabled

glennschler opened this issue 3 years ago · comments

Describe the bug
When deploying to ec2-cloud, and the ipsec_enabled parameter
is false a new EC2 external firewall Security Group is created
with two unnecessary ingress firewalls rules. The two inbound ipsec
ports are 500 and 4500. Since the ipsec strongswan role is exlcuded,
there is no strongswan VPN deployed on the new hosted instance, so
no need for these open ports.

To Reproduce

Steps to reproduce the behavior:

Change the config.cfg ipsec_enabled parameter to false
Run the Algo ansible script and choose EC2 as the cloud provider
After Algo completes the deployment, note the public IPv4 shown in
the final lines of "PLAY RECAP"

If AWS SDK is installed, run this describe-security-groups and
describe-instances cli command using the public IP to see the
ingress rules which were created:

 EC2IP=nn.nn.nn.nn && aws ec2 describe-security-groups --filters \
  Name=group-id,Values=$(aws ec2 describe-instances --filters \
  Name=network-interface.association.public-ip,Values=$EC2IP \
  --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' \
  --output text) \
  --query 'SecurityGroups[*].[IpPermissions]'

Another way to view the rules is in the AWS Dashboard->AWS Services
->CloudFormation->Stacks page. Examine the Stack Details->Resources
to find the InstanceSecurityGroup which was created. Open the Physical
ID of the SG to view the Inbound Rules

Expected behavior

When ipsec_enabled = false, there should only be two security group
rules. One for SSH and one for Wireguard.

Additional context

Perhaps consider the case when wireguard_enabled = false as well.
Do not open that port when not enabled.

Glenn Schlereth · Answer 1 · Sun Sep 19 2021 06:06:55 GMT+0800 (China Standard Time)

Currently testing fix glennschler/algo@8865b1a

David Myers · Answer 2 · Mon Sep 20 2021 05:12:28 GMT+0800 (China Standard Time)

Although unused IPSec and WireGuard ports are opened on cloud provider firewalls, unused ports are not opened on the server instance itself.

Glenn Schlereth · Answer 3 · Tue Sep 21 2021 03:31:47 GMT+0800 (China Standard Time)

Yes, I understood and it is explained well in the algo firewall document. iptables -L confirms as well. The ports referred to in this issue are the external "security group" firewall which EC2 provides to control access in/out of the VPC.

It's a minor detail. The fix creates a more explicit cloud formation template. I always found myself deleting these rules manually after deployment of algo to avoid future confusion.