From 44c81b1f3e88e7f0712df579598077f28089e022 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Mon, 17 Jun 2024 01:20:29 +0100 Subject: [PATCH] doc: reorganised to encompass all teh tickets we have submitted over time. May work on a tool that compiles this together into a unified output? --- ITD/Firewall_Rules.csv | 61 +++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/ITD/Firewall_Rules.csv b/ITD/Firewall_Rules.csv index 7978336..2419b0d 100644 --- a/ITD/Firewall_Rules.csv +++ b/ITD/Firewall_Rules.csv @@ -1,19 +1,42 @@ -Index,Status,Name,IP_Address,DNS_Name,Ports TCP,Ports UDP,Tunnel,Ports_Requested,Related_Tickets,Description -SKYNET00001,Active,agentjones,193.1.99.72,agentjones,,,,,,Firewall (currently not active) -SKYNET00002,Active,vendetta,193.1.99.120,vendetta/ns1,,53,,,,DNS Nameserver 1 -SKYNET00003,Active,jarvis,193.1.99.73,jarvis,,,,,,VM Host -SKYNET00004,Active,vigil,193.1.99.109,vigil/ns2,,53,,,,DNS Nameserver 2 -SKYNET00005,Active,galatea,193.1.99.111,galatea/stream,80/443 8000,,,,,ULFM Radio -SKYNET00006,Retired,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,,,,,Retired Games server -SKYNET00007,Active,kitt,193.1.99.74,kitt/account/api.account,443,,,-> skynet:9000-9020,i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot" -SKYNET00008,Active,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,,,,i23-05-18_249,Gitlab server -SKYNET00009,Active,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,,,4190,i23-06-19_525/i23-06-19_525,Email and Webmail -SKYNET00010,Active,wheatly,193.1.99.78,wheatly,,,-> skynet:22,,,Gitlab Runner -SKYNET00011,Active,earth,193.1.99.79,earth,80/443,,,,i23-06-19_525,Offical website host -SKYNET00012,Active,skynet,193.1.96.165,skynet/*.users,22 80/443,,,,i23-06-30_024,Skynet server. (DMZ) -SKYNET00013,Active,neuromancer,193.1.99.80,neuromancer,,,,,,Local Backup Server -SKYNET00014,Active,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,,,,i23-10-27_014,"Services VM, has nextcloud to start with" -SKYNET00015,Active,marvin,193.1.99.81,marvin,,,,,,Trainee testing server -SKYNET00016,Active,optimus,193.1.99.90,,80/443,,,8080,i24-02-16_065,Games server manager (replacing SKYNET00006 soon) -SKYNET00017,Active,bumblebee,193.1.99.91,,25518-25525,19132 24418-24425,,,i24-02-16_065,Game server - Minecraft -SKYNET00018,Active,calculon,193.1.99.82,,,,,80/443,,"Public Services such as binary cache, Open Governance and Keyserver" +Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes +SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins +SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie +SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server." +SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)" +SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie +SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access +SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access +SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). +I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. +In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. +Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured." +SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server +SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up" +SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver +SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server +Outlet is 131 or 132" +SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS +SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP +,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts – Only 443 on account modification pages +SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts +SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites +SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents" +SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS +SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server +SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel +SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server +SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their +skynet mail." +SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver" +,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server +Denied because more information on wat it was for was requested" +,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided" +SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host +,Add,i24-06-04_017,Pending,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server +,Add,i24-06-04_017,Pending,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection +,Add,i24-06-04_017,Pending,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server