terraform-provider-hcloud icon indicating copy to clipboard operation
terraform-provider-hcloud copied to clipboard

Published 20 hours ago verified publisher icon hetznercloud

Firewall Improvements

Open Sebbo94BY opened this issue 3 years ago • 4 comments

I've just tested the beta firewall feature using Terraform and also in the console and I really like it. This helps a lot to avoid eg. iptables firewall configurations on all the hosts. While testing and setting up a few firewalls and rules, I've noted some things, which would be cool to have:

  • Adding a description field to each single rule would be very helpful to see and know for which purpose this rule for example is, when you view it in the console (in Terraform, you can simply add # comments, but this would not help someone, who is checking something through the Hetzner Cloud Console only)
  • Instead of only having port, I would implemt from_port and to_port. In the console, you're also able to fill out two fields. This would also allow you to change the value type from string to number to better check the given values. :)
  • Would be cool to have a simple option to define a rule, which simply allows everything (eg. for outgoing traffic to be explicit; AWS does this for example with protocol = "-1", from_port = 0 and to_port = 0)
  • ~~Outgoing firewall rules are currently not possible to manage as direction out is not available in Terraform~~ (#348)

Below some examples for these improvements:

resource "hcloud_firewall" "default" {
  name = "default"

  # ICMP
  rule {
    description = "ICMP"
    direction   = "in"
    protocol    = "icmp"
    source_ips = [
      "0.0.0.0/0",
      "::/0",
    ]
  }

  # SSH (default port)
  rule {
    description = "SSH (default port)"
    direction   = "in"
    protocol    = "tcp"
    from_port   = 22
    to_port     = 22
    source_ips = [
      "0.0.0.0/0",
      "::/0",
    ]
  }

  # SSH (custom port)
  rule {
    description = "SSH (custom port)"
    direction   = "in"
    protocol    = "tcp"
    from_port   = 2223
    to_port     = 2223
    source_ips = [
      "0.0.0.0/0",
      "::/0",
    ]
  }

  # Allow any outgoing TCP traffic
  rule {
    description = "Any TCP traffic"
    direction   = "out"
    protocol    = "tcp"
    from_port   = 0
    to_port     = 0
    source_ips = [
      "0.0.0.0/0",
      "::/0",
    ]
  }

  # Or eg. allow any outgoing traffic (doesn't matter which protocol and port)
  rule {
    description = "Any TCP traffic"
    direction   = "out"
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    source_ips = [
      "0.0.0.0/0",
      "::/0",
    ]
  }

  labels = merge(
    local.default_labels,
    var.additional_labels,
    {
      Description = "Allows-necessary-minimum-traffic"
    },
  )
}

Sebbo94BY avatar Apr 17 '21 16:04 Sebbo94BY

Hey @Sebi94nbg,

thank you for your feedback! I passed the things to our team.

We decided to not implement two different fields for the ports because it doesn't felt right to have something like this:

   from_port   = 2223
   to_port     = 2223

We want to be simple and easy to use, therefore we decided to only have a port. Within this field, you can use single ports or even port ranges (Sample: 1-65535).

Would be cool to have a simple option to define a rule, which simply allows everything (eg. for outgoing traffic to be explicit; AWS does this for example with protocol = "-1", from_port = 0 and to_port = 0)

Personally, I think this is quite dangerous. When you define a firewall rule you should be explicit, having such indirect rules (one rule that allows everything) is fine as long as there are only a few supported protocols. With this "wildcard" you would directly allow new protocols we might add to the firewalls without knowing about it.

LKaemmerling avatar May 03 '21 05:05 LKaemmerling

You're welcome! Thank you!

When you define a firewall rule you should be explicit

Currently, you allow any outgoing traffic, when there is no rule configured in any assigned firewall. With my approach this would be explicit then. You are explicitly allowing anything. :)

With this "wildcard" you would directly allow new protocols we might add to the firewalls without knowing about it.

When you add / support new things, then this rule shouldn't be your problem. That's something, about what the respective DevOps needs to think about. They also could be more explicit and only allow the protocols and ports, which they want to allow instead of allowing anything. I wouldn't see this as a problem from Hetzner side. A DevOps has the job to check the changes of new releases, Cloud features etc. and if required, the DevOps needs to react. But that's only my opinion. ;)

Sebbo94BY avatar May 03 '21 20:05 Sebbo94BY

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

github-actions[bot] avatar Oct 13 '23 12:10 github-actions[bot]

There are still some open improvement requests.

Sebbo94BY avatar Oct 13 '23 13:10 Sebbo94BY