Ensure OpenStack firewall rule has destination IP configured

Error: OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)

Bridgecrew Policy ID: BC_OPENSTACK_NETWORKING_3
Checkov Check ID: CKV_OPENSTACK_5
Severity: LOW

OpenStack firewall rule does not have destination IP configured

Description

Explicitly setting a destination IP Address will make sure that the IP destination is managed in code. You also need to ensure that the destination IP is not 0.0.0.0 so that the firewall rule is exposed to the world.

Fix - Buildtime

Terraform

  • Resource: openstack_fw_rule_v1
  • Arguments: destination_ip_address
resource "openstack_fw_rule_v1" "fail" {
  name             = "my_rule_world"
  description      = "let anyone in"
  action           = "allow"
  protocol         = "tcp"
  destination_port = "22"
  enabled          = "true"
+  destination_ip_address = "10.0.0.1"
}

CLI

openstack firewall group rule create --destination-ip-address 10.0.0.1