Ensure OpenStack firewall rule has destination IP configured
Error: OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
Bridgecrew Policy ID: BC_OPENSTACK_NETWORKING_3
Checkov Check ID: CKV_OPENSTACK_5
Severity: LOW
OpenStack firewall rule does not have destination IP configured
Description
Explicitly setting a destination IP Address will make sure that the IP destination is managed in code. You also need to ensure that the destination IP is not 0.0.0.0 so that the firewall rule is exposed to the world.
Fix - Buildtime
Terraform
- Resource: openstack_fw_rule_v1
- Arguments: destination_ip_address
resource "openstack_fw_rule_v1" "fail" {
name = "my_rule_world"
description = "let anyone in"
action = "allow"
protocol = "tcp"
destination_port = "22"
enabled = "true"
+ destination_ip_address = "10.0.0.1"
}
CLI
openstack firewall group rule create --destination-ip-address 10.0.0.1
Updated 11 months ago