Versions Compared

Old Version 22

changes.mady.by.user Steffen Drya

Saved on

compared with

New Version Current

changes.mady.by.user Steffen Drya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

You have tried to access an archived page. Please go to the new https://root360.atlassian.net/wiki/spaces/KB to find more documents.


HTML Comment
hiddentrue

How to obtain Network ACLs?


HTML Comment
hiddentrue

→ Bild auf englische Seite verlinken, Bild= 30px


Excerpt
hiddentrue

How to obtain an overview about active Network ACL of the current environment?

...

Table of contents

Table of Contents
excludeTable of contents


Note
title

What are Network Access Control Lists (ACLs)?

Network Access Control Lists are one of multiple security measures applied to your infrastructure. They control traffic flow on network layer and allow the application of restrictions to this traffic. Overall there are multiple Network ACLs for each environment. However the one of most concern is the one controlling the traffic flow from the Internet to the infrastructure. This also, is the only one you are allowed to make changes to e.g. by blocking or unblocking IPs or IP-Ranges.

...

Step-by-step guide

Show help context

...

Show help example
linenumbers
Code Block
true
languagecollapsetexttrue
~$ r3 net list -h
usage: net.py list [-h] [--network-acls]

List Network ACL Entries.

optional arguments:
  -h, --help      show this help message and exit
  --network-acls  List the Entries for the environments public Network ACLs.

Show currently applied ACL

  1. r3 net list --network-acl shows the whole Network ACL for the public network segment of your infrastructure

  2. The overview includes

    1. the name/identifier of the ACL

    2. a number assigned to the respective entry in the ACL (order is important to evalute deny before allow actions)

    3. the column Ingress describes the direction of the traffic flow. Ingress=True describes a rule is applied to incomming traffic, whilst the opposite indicates rules for traffic leaving your infrastructure

    4. CIDRBlock is the actual IP or IP range of consideration

    5. The protocol number (following IANA Internet Protocol Numbers Standards) names the network protocol of considerations (e.g. 6 for TCP Traffic) 

    6. PortRange specifies the port or port range the rule applies to

    7. The RuleAction specifies how to handle the traffic e.g. deny it or allow it


title
Note

IP vs CIDR

A Network ACL is based on IPs or IP ranges presented in the Classless Inter-Domain Routing (CIDR) notation (having /xx behind the actual IP to describe network mask).

This examples shows:

  • the default rule set for the Network ACL root360 GmbH is rolling out

  • 4 block rules (RuleAction = deny, RuleNumbers 996-999) for 2 separate IPs covering incomming traffic for both Port 80 and 443. Thus these rules block HTTP and HTTPS requests for the given IPs.

...

...

Listing active Network ACLs example
linenumbers
Code Block
true
languagecollapsetruetext
~$ r3 net list --network-acl
Project: backend Environment: test Company: root360 
+--------------+------------+---------+------------------+----------+--------------+------------+
| NetworkAclId | RuleNumber | Ingress | CidrBlock        | Protocol | PortRange    | RuleAction |
+--------------+------------+---------+------------------+----------+--------------+------------+
| acl-2778c94e | 100        | False   | 0.0.0.0/0        | 6        | 0 - 65535    | allow      |
| acl-2778c94e | 996        | True    | 35.156.218.92/32 | 6        | 443 - 443    | deny       |
| acl-2778c94e | 997        | True    | 35.156.218.92/32 | 6        | 80 - 80      | deny       |
| acl-2778c94e | 998        | True    | 35.156.218.91/32 | 6        | 443 - 443    | deny       |
| acl-2778c94e | 999        | True    | 35.156.218.91/32 | 6        | 80 - 80      | deny       |
| acl-2778c94e | 1000       | True    | 0.0.0.0/0        | 6        | 80 - 80      | allow      |
| acl-2778c94e | 1100       | True    | 0.0.0.0/0        | 6        | 443 - 443    | allow      |
| acl-2778c94e | 1300       | True    | 10.0.56.0/27     | 6        | 1024 - 65535 | allow      |
| acl-2778c94e | 1400       | True    | 10.0.57.0/24     | 6        | 1024 - 65535 | allow      |
| acl-2778c94e | 1500       | True    | 10.0.58.0/24     | 6        | 1024 - 65535 | allow      |
| acl-2778c94e | 32767      | False   | 0.0.0.0/0        | -1       | ALL          | deny       |
| acl-2778c94e | 32767      | True    | 0.0.0.0/0        | -1       | ALL          | deny       |
| acl-2778c94e | 32768      | False   | ::/0             | -1       | ALL          | deny       |
| acl-2778c94e | 32768      | True    | ::/0             | -1       | ALL          | deny       |
+--------------+------------+---------+------------------+----------+--------------+------------+


Related Article

Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
sortmodified
showSpacefalse

...

reversetrue
typepage
cqllabel in ( "how-to" , "block" , "unblock" , "ip" , "ip-range" ) and type = "page" and space = "KB"
labelshow-to delete destroy database backup snapshot
Page Properties
hiddentrue


Related issues