From b2885ef2725a05cac49e7dae871d0a6b96fd1fbc Mon Sep 17 00:00:00 2001 From: Gabriele Cerami Date: Thu, 2 Aug 2018 12:42:27 +0100 Subject: [PATCH] BMC port: add security group to limit IPMI to private net --- templates/bmc-port-port-security.yaml | 20 ++++++++++++++++++++ templates/bmc-port.yaml | 20 ++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/templates/bmc-port-port-security.yaml b/templates/bmc-port-port-security.yaml index dc9361e..b4a4b3e 100644 --- a/templates/bmc-port-port-security.yaml +++ b/templates/bmc-port-port-security.yaml @@ -9,6 +9,24 @@ parameters: type: string resources: + bmc_sg: + type: OS::Neutron::SecurityGroup + properties: + name: + list_join: + - '_' + - - {get_param: bmc_prefix} + - 'sg' + description: SSH, ping, IPMI from the same net + rules: + - protocol: icmp + - protocol: tcp + port_range_min: 22 + port_range_max: 22 + - protocol: udp + port_range_min: 623 + port_range_max: 623 + remote_ip_prefix: {get_param: private_net} private_bmc_port: type: OS::Neutron::Port @@ -19,6 +37,8 @@ resources: - - 'utility' - {get_param: bmc_prefix} network: {get_param: private_net} + security_groups: + - {get_resource: bmc_sg} port_security_enabled: False outputs: diff --git a/templates/bmc-port.yaml b/templates/bmc-port.yaml index 402ea94..5101ce4 100644 --- a/templates/bmc-port.yaml +++ b/templates/bmc-port.yaml @@ -9,6 +9,24 @@ parameters: type: string resources: + bmc_sg: + type: OS::Neutron::SecurityGroup + properties: + name: + list_join: + - '_' + - - {get_param: bmc_prefix} + - 'sg' + description: SSH, ping, IPMI from the same net + rules: + - protocol: icmp + - protocol: tcp + port_range_min: 22 + port_range_max: 22 + - protocol: udp + port_range_min: 623 + port_range_max: 623 + remote_ip_prefix: {get_param: private_net} private_bmc_port: type: OS::Neutron::Port @@ -19,6 +37,8 @@ resources: - - 'utility' - {get_param: bmc_prefix} network: {get_param: private_net} + security_groups: + - {get_resource: bmc_sg} outputs: port: