-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule for considering order of NACL entries #409
Projects
Comments
thegonch
added a commit
that referenced
this issue
Mar 25, 2020
…orts, and duplicate rule numbers, along with their spec tests.
thegonch
added a commit
that referenced
this issue
Apr 1, 2020
This was referenced Apr 1, 2020
thegonch
added a commit
that referenced
this issue
Apr 8, 2020
thegonch
added a commit
that referenced
this issue
Apr 9, 2020
thegonch
added a commit
that referenced
this issue
Apr 10, 2020
…plicate rule spec test. Clean up duplicate and reused portRange methods using group_by
thegonch
added a commit
that referenced
this issue
Apr 13, 2020
ghost
pushed a commit
that referenced
this issue
Apr 21, 2020
* Add NACL rules for VPC ID, Protocol, and Port Range * #10 Remove EC2NetworkAclMissingVpcIdRule and its tests. Remove check and test for ec2 network acl where port ranges could be set to '-1' as it does not seem to be possible for Cloudformation. Other general cleanup per Eric Kascic's PR review. * Update EC2NetworkAclEntryPortRangeRule text * #10 Add check for allow rules only for NACL Protocol Rule opening all ports with appropriate tests and warning text updates * #409 Add ineffective NACL rules including ineffective deny, reusing ports, and duplicate rule numbers, along with their spec tests. * #409 Update cfn-model to 0.4.27 * #409 Update NACL entry ineffective rules using cleaner cfn-model setup, add port overlap check * #409 Update cfn-model gem. Update new rule numbers and some other cleanup. * #409 Clean up select vs. each for NACL ineffective rules. Update warning rule numbers * #409 Simplify ineffective rule definitions and predicates * #409 Remove ? from methods that do not return a boolean. Add a new duplicate rule spec test. Clean up duplicate and reused portRange methods using group_by * #409 Clean up the ports overlapping rule for NACL entries * Change rule name from lib/cfn-nag/custom_rules/EC2NetworkAclEntryReusedPortsRule.rb to lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb. Clean up overlap logic.
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ineffective or misconfigured DENY rules promotes ‘overly-permissive’ access to a VPC. This results in attacks, such as DoS or DDoS. Be mindful of the order of the DENY rules within your Network ACLs. This is crucial, as ACLs are evaluated in order. For example, in the below image, the DENY rule is defined to block inbound traffic to vulnerable port 2049. If the rule does not block access to everyone (0.0.0.0/0), the inbound DENY rule is declared ineffective and should be reconfigured to protect against attacks
basically, attempt to eval or partial eval on the rules to check whether some of the rules are ineffective because of earlier rules in the template.
The text was updated successfully, but these errors were encountered: