Restrict SNMP to internal network
Add a parameter, SnmpdIpSubnet, which can be an IP/MASK that will be used to secure with IPtables the source network authorized to reach SNMP service on the host. If SnmpdIpSubnet is left empty (default) the parameter will be set to SnmpdNetwork. Also change the IPtables id, 127 was used by Horizon, so let's switch SNMP to 124. No impact on users. Change-Id: I46fce28926cb5a881f7384948480266712ae75e3 Closes-Bug: #1749324
This commit is contained in:
parent
7b8e0b7d72
commit
43155ed146
@ -65,6 +65,7 @@ parameters:
|
|||||||
RedisNetwork: internal_api
|
RedisNetwork: internal_api
|
||||||
GaneshaNetwork: storage_nfs
|
GaneshaNetwork: storage_nfs
|
||||||
MysqlNetwork: internal_api
|
MysqlNetwork: internal_api
|
||||||
|
SnmpdNetwork: internal_api
|
||||||
CephClusterNetwork: storage_mgmt
|
CephClusterNetwork: storage_mgmt
|
||||||
CephMonNetwork: storage
|
CephMonNetwork: storage
|
||||||
CephRgwNetwork: storage
|
CephRgwNetwork: storage
|
||||||
|
@ -48,6 +48,13 @@ parameters:
|
|||||||
description: A string containing the commandline options passed to snmpd
|
description: A string containing the commandline options passed to snmpd
|
||||||
type: string
|
type: string
|
||||||
default: '-LS0-5d'
|
default: '-LS0-5d'
|
||||||
|
SnmpdIpSubnet:
|
||||||
|
default: ''
|
||||||
|
description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
|
||||||
|
will be taken.
|
||||||
|
type: string
|
||||||
|
conditions:
|
||||||
|
snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
@ -59,10 +66,20 @@ outputs:
|
|||||||
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
||||||
snmp::agentaddress: {get_param: SnmpdBindHost}
|
snmp::agentaddress: {get_param: SnmpdBindHost}
|
||||||
snmp::snmpd_options: {get_param: SnmpdOptions}
|
snmp::snmpd_options: {get_param: SnmpdOptions}
|
||||||
|
snmpd_network:
|
||||||
|
str_replace:
|
||||||
|
template: "NETWORK_subnet"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
|
||||||
tripleo.snmp.firewall_rules:
|
tripleo.snmp.firewall_rules:
|
||||||
'127 snmp':
|
'124 snmp':
|
||||||
dport: 161
|
dport: 161
|
||||||
proto: 'udp'
|
proto: 'udp'
|
||||||
|
source:
|
||||||
|
if:
|
||||||
|
- snmpd_network_unset
|
||||||
|
- "%{hiera('snmpd_network')}"
|
||||||
|
- {get_param: SnmpdIpSubnet}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::snmp
|
include ::tripleo::profile::base::snmp
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
|
7
releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
Normal file
7
releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Change the IPtables rule for SNMP service and open 161 udp port on
|
||||||
|
SnmpdIpSubnet parameter instead of 0.0.0.0/0.
|
||||||
|
If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.
|
||||||
|
|
Loading…
x
Reference in New Issue
Block a user