Open alevere opened 4 years ago
Good job.
Let me summarize GCP properties:
direction: ingress and egress (default is ingress) priority: 0 to 65535 action: allow or deny enforcement status: enabled or disabled (default is enabled) target: all instances, network tags, service accounts protocol port
Google Cloud Platform provides a stateful packet filter that operates as if at the network or interface(s) of a virtual machine. To support rules more fully, we would need to both support tags and service accounts (and maybe implicit all) for both source and destination. It would be better supported if network was also supported.
Fields needed: tag - string service account - string all instances - boolean network - string priority - int 0-65535
Example 1: Deny 1.1.1.1 action:deny, ipv4_net:1.1.1.1 gcp command(s): gcloud compute firewall-rules create testfw --action deny --rules all --direction ingress --source-ranges 1.1.1.1 gcloud compute firewall-rules create testfw1 --action deny --rules all --direction egress --destination-ranges 1.1.1.1 Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network
Example 2: Allow 2.2.2.2 ingress gcp command(s): gcloud compute firewall-rules create testfw2 --action allow --rules all --direction ingress --source-ranges 2.2.2.2 Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network
Example 3: Allow dst port 33 for TCP gcp command(s): gcloud compute firewall-rules create testfw3 --action allow --rules tcp:33 --direction ingress gcloud compute firewall-rules create testfw4 --action allow --rules tcp:33 --direction egress Works? Yes, but this is applied to the entire VPC (default in this case), so it is applied basically to all machines on the network
Example 4: Deny src=4.4.4.4,dst=5.5.5.5,dport=443,dir:egress gcp command(s): n/a Works? No, you cannot specify ipv4 addresses as both source AND destination in GCP error: - Should not specify destination range for ingress direction.
What does GCP support for specifying if not ipv4 addresses? All instances on the network Tags Service Accounts