Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

doc: reorganised to encompass all teh tickets we have submitted over time.

Browse source 
May work on a tool that compiles this together into a unified output?
This commit is contained in:
silver 2024-06-17 01:20:29 +01:00
parent 897c52cc3e
commit 44c81b1f3e
Signed by: silver
GPG key ID: 54E2C71918E93B74
1 changed files with 42 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
ITD/Firewall_Rules.csv
View file

@ -1,19 +1,42 @@
Index,Status,Name,IP_Address,DNS_Name,Ports TCP,Ports UDP,Tunnel,Ports_Requested,Related_Tickets,Description Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
SKYNET00001,Active,agentjones,193.1.99.72,agentjones,,,,,,Firewall (currently not active) SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
SKYNET00002,Active,vendetta,193.1.99.120,vendetta/ns1,,53,,,,DNS Nameserver 1 SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
SKYNET00003,Active,jarvis,193.1.99.73,jarvis,,,,,,VM Host SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
SKYNET00004,Active,vigil,193.1.99.109,vigil/ns2,,53,,,,DNS Nameserver 2 SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
SKYNET00005,Active,galatea,193.1.99.111,galatea/stream,80/443 8000,,,,,ULFM Radio SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
SKYNET00006,Retired,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,,,,,Retired Games server SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
SKYNET00007,Active,kitt,193.1.99.74,kitt/account/api.account,443,,,-> skynet:9000-9020,i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot" SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
SKYNET00008,Active,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,,,,i23-05-18_249,Gitlab server SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
SKYNET00009,Active,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,,,4190,i23-06-19_525/i23-06-19_525,Email and Webmail SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
SKYNET00010,Active,wheatly,193.1.99.78,wheatly,,,-> skynet:22,,,Gitlab Runner SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
SKYNET00011,Active,earth,193.1.99.79,earth,80/443,,,,i23-06-19_525,Offical website host SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
SKYNET00012,Active,skynet,193.1.96.165,skynet/*.users,22 80/443,,,,i23-06-30_024,Skynet server. (DMZ) SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
SKYNET00013,Active,neuromancer,193.1.99.80,neuromancer,,,,,,Local Backup Server SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
SKYNET00014,Active,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,,,,i23-10-27_014,"Services VM, has nextcloud to start with" I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
SKYNET00015,Active,marvin,193.1.99.81,marvin,,,,,,Trainee testing server In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
SKYNET00016,Active,optimus,193.1.99.90,,80/443,,,8080,i24-02-16_065,Games server manager (replacing SKYNET00006 soon) Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
SKYNET00017,Active,bumblebee,193.1.99.91,,25518-25525,19132 24418-24425,,,i24-02-16_065,Game server - Minecraft SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
SKYNET00018,Active,calculon,193.1.99.82,,,,,80/443,,"Public Services such as binary cache, Open Governance and Keyserver" SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
Outlet is 131 or 132"
SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts Only 443 on account modification pages
SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
skynet mail."
SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
Denied because more information on wat it was for was requested"
,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
,Add,i24-06-04_017,Pending,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
,Add,i24-06-04_017,Pending,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
,Add,i24-06-04_017,Pending,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server

1 Index Rule Action Name Ticket IP_Address Status DNS_Name Source_IP Ports TCP Source_Server Ports UDP Destination_IP Tunnel Destination_Server Ports_Requested Port_TCP Related_Tickets Port_UDP Description Notes
2 SKYNET00001 SKYNET_FIREWALL_00000 Add agentjones 193.1.99.72 Active Complete agentjones VPN - 93.1.99.71 - 193.1.99.126 All 22 - Firewall (currently not active) sftp/ssh required from vpn to servers for admins
3 SKYNET00002 SKYNET_FIREWALL_00001 Add vendetta 193.1.99.120 Active Complete vendetta/ns1 All - 53 193.1.99.109 SKYNET00004 - 53 DNS Nameserver 1 Nameserver for skynet.ie
4 SKYNET00003 SKYNET_FIREWALL_00002 Add jarvis 193.1.99.73 Active Complete jarvis All - 193.1.99.111 SKYNET00005 80, 443, 8000 - VM Host ULFM, http(s) for internet streaming, 8000 for connecting to the server.
5 SKYNET00004 SKYNET_FIREWALL_00003 Add vigil 193.1.99.109 Active Complete vigil/ns2 All - 53 193.1.99.112 SKYNET00006 80, 443, 25565 - DNS Nameserver 2 Games host, Minecraft uses 25565 (will have more ports in the future)
6 SKYNET00005 SKYNET_FIREWALL_00004 Add galatea 193.1.99.111 Active Complete galatea/stream All 80/443 8000 - 193.1.99.120 SKYNET00002 - 53 ULFM Radio Nameserver for skynet.ie
7 SKYNET00006 SKYNET_FIREWALL_00005 Add optimus i23-01-19_681 193.1.99.112 Retired Complete optimus/games/*.games 193.1.99.72 80/443 25565 SKYNET00001 All - - - Retired Games server Allow outbound access
8 SKYNET00007 SKYNET_FIREWALL_00006 Add kitt i23-01-19_681 193.1.99.74 Active Complete kitt/account/api.account 193.1.99.75 443 SKYNET00008 All - -> skynet:9000-9020 - i23-07-28_010 - LDAP and Self-Service Password/Account management, also hosts our Discord bot Allow outbound access
9 SKYNET00008 SKYNET_FIREWALL_00007 Add glados i23-01-19_681 193.1.99.75 Active Complete glados/gitlab/*.pages.gitlab 193.1.99.109 80/443 SKYNET00004 All - - i23-05-18_249 - Gitlab server Allow outbound access
10 SKYNET00009 SKYNET_FIREWALL_00008 Add gir i23-01-19_681 193.1.99.76 Active Complete gir/mail/imap/pop3/smtp 193.1.99.111 80/443 25/143/993/587/465 SKYNET00005 All - 4190 - i23-06-19_525/i23-06-19_525 - Email and Webmail Allow outbound access
11 SKYNET00010 SKYNET_FIREWALL_00009 Add wheatly i23-01-19_681 193.1.99.78 Active Complete wheatly 193.1.99.112 SKYNET00006 All -> skynet:22 - - - Gitlab Runner Allow outbound access
12 SKYNET00011 SKYNET_FIREWALL_00010 Add earth i23-01-19_681 193.1.99.79 Active Complete earth 193.1.99.120 80/443 SKYNET00002 All - - i23-06-19_525 - Offical website host Allow outbound access
13 SKYNET00012 SKYNET_FIREWALL_00011 Add skynet i23-05-18_249 193.1.96.165 Active Complete skynet/*.users All 22 80/443 - 193.1.99.75 SKYNET00008 80, 443 i23-06-30_024 - Skynet server. (DMZ) For gitlab Access
14 SKYNET00013 SKYNET_FIREWALL_00012 Add neuromancer i23-05-18_249 193.1.99.80 Active Complete neuromancer 193.1.99.72 - 193.1.99.126 - All - - - Local Backup Server I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured.
15 SKYNET00014 SKYNET_FIREWALL_00013 Add cadie i23-05-18_249 193.1.99.77 Active Complete cadie/nextcloud/onlyoffice.nextcloud All 80/443 - 193.1.99.76 SKYNET00009 143, 993, 587, 465 i23-10-27_014 - Services VM, has nextcloud to start with Email Server
16 SKYNET00015 SKYNET_FIREWALL_00014 Add marvin i23-06-19_525 193.1.99.81 Active Complete marvin All - 193.1.99.76 SKYNET00009 80, 443, 25 - Trainee testing server Mailserver here, SPF, DKIM and DMARC are all set up
17 SKYNET00016 SKYNET_FIREWALL_00015 Add optimus i23-06-19_525 193.1.99.90 Active Complete All 80/443 - 193.1.99.79 SKYNET00011 8080 80, 443 i24-02-16_065 - Games server manager (replacing SKYNET00006 soon) Main Skynet webserver
18 SKYNET00017 SKYNET_FIREWALL_00016 Add bumblebee i23-06-30_024 193.1.99.91 Active Complete All 25518-25525 - 19132 24418-24425 193.1.96.165 SKYNET00012 22 i24-02-16_065 - Game server - Minecraft Skynet user's server Outlet is 131 or 132
19 SKYNET00018 SKYNET_FIREWALL_00017 Add calculon i23-06-30_024 193.1.99.82 Active Complete 193.1.96.165 SKYNET00012 193.1.99.120 SKYNET00002 80/443 - 53 Public Services such as binary cache, Open Governance and Keyserver Allow Skynet server to use our own internal DNS
20 SKYNET_FIREWALL_00018 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.74 SKYNET00007 389/636 - Allow Skynet server to access LDAP
21 Add i23-07-28_010 Denied All - 193.1.99.74 SKYNET00007 80, 443 - Self Service site for Skynet accounts – Only 443 on account modification pages
22 SKYNET_FIREWALL_00019 Add i23-07-28_010 Complete All - 193.1.99.74 SKYNET00007 443 - Self Service site for Skynet accounts
23 SKYNET_FIREWALL_00020 Add i23-09-05_639 Complete All - 193.1.96.165 SKYNET00012 80, 443 - Web hosting for user sites
24 SKYNET_FIREWALL_00021 Add i23-10-27_014 Complete All - 193.1.99.77 SKYNET00014 80, 443 - Nextcloud, selfhosted google services, filestorage and documents
25 SKYNET_FIREWALL_00022 Add i24-02-01_102 Complete 193.1.96.165 SKYNET00012 103.1.99.109 SKYNET00004 - 53 Give the Skynet server access to ur secondary DNS
26 SKYNET_FIREWALL_00023 Add i24-02-01_102 Complete 193.1.99.78 SKYNET00010 193.1.96.165 SKYNET00012 22 - Allow our gitlab runner to access and deploy to teh external server
27 SKYNET_FIREWALL_00024 Add i24-02-16_065 Complete All - 193.1.99.90 SKYNET00016 80, 443 - Games Server Administrative panel
28 SKYNET_FIREWALL_00025 Add i24-02-16_065 Complete All - 193.1.99.91 SKYNET00017 25518-25525 19132, 24418-24425 Minecraft Games server
29 SKYNET_FIREWALL_00026 Add i24-06-04_017 Complete All - 193.1.99.76 SKYNET00009 4190 - Email sieve to allow members to add email filters to their skynet mail.
30 SKYNET_FIREWALL_00027 Add i24-06-04_017 Complete All - 193.1.99.82 SKYNET00018 80/443 - Public services such as a binary cache, open governance and keyserver
31 Add i24-06-04_017 Denied All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server Denied because more information on wat it was for was requested
32 Add i24-06-04_017 Denied 193.1.99.74 SKYNET00007 193.1.96.165 SKYNET00012 9000-9020 - Metrics collection, not done because not enough info provided
33 SKYNET_FIREWALL_00028 Remove i24-06-04_017 Complete - - 193.1.99.112 SKYNET00019 25565 - No longer the minecraft game host
34 Add i24-06-04_017 Pending All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server
35 Add i24-06-04_017 Pending 193.1.99.83 SKYNET00020 193.1.96.165 SKYNET00012 9000-9010 - Metrics Collection
36 Add i24-06-04_017 Pending All - 193.1.99.83 SKYNET00020 80, 443 - Web interface for Metrics server
37
38
39
40
41
42