EC2 IPSec security group ports open even when disabled
glennschler opened this issue · comments
Describe the bug
When deploying to ec2-cloud, and the ipsec_enabled
parameter
is false
a new EC2 external firewall Security Group is created
with two unnecessary ingress firewalls rules. The two inbound ipsec
ports are 500 and 4500. Since the ipsec strongswan role is exlcuded,
there is no strongswan VPN deployed on the new hosted instance, so
no need for these open ports.
To Reproduce
Steps to reproduce the behavior:
- Change the config.cfg
ipsec_enabled
parameter tofalse
- Run the Algo ansible script and choose EC2 as the cloud provider
- After Algo completes the deployment, note the public IPv4 shown in
the final lines of "PLAY RECAP"
-
If AWS SDK is installed, run this
describe-security-groups
and
describe-instances
cli command using the public IP to see the
ingress rules which were created:EC2IP=nn.nn.nn.nn && aws ec2 describe-security-groups --filters \ Name=group-id,Values=$(aws ec2 describe-instances --filters \ Name=network-interface.association.public-ip,Values=$EC2IP \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' \ --output text) \ --query 'SecurityGroups[*].[IpPermissions]'
-
Another way to view the rules is in the AWS Dashboard->AWS Services
->CloudFormation->Stacks page. Examine the Stack Details->Resources
to find the InstanceSecurityGroup which was created. Open the Physical
ID of the SG to view the Inbound Rules
Expected behavior
When ipsec_enabled = false
, there should only be two security group
rules. One for SSH and one for Wireguard.
Additional context
Perhaps consider the case when wireguard_enabled = false
as well.
Do not open that port when not enabled.
Currently testing fix glennschler/algo@8865b1a
Although unused IPSec and WireGuard ports are opened on cloud provider firewalls, unused ports are not opened on the server instance itself.
Yes, I understood and it is explained well in the algo firewall document. iptables -L
confirms as well. The ports referred to in this issue are the external "security group" firewall which EC2 provides to control access in/out of the VPC.
It's a minor detail. The fix creates a more explicit cloud formation template. I always found myself deleting these rules manually after deployment of algo to avoid future confusion.