So they worry about "idiot admins disabling software firewalls"... :P
-
we can manage host firewall rules via Ansible and storing them in Git. That way changes are tracked and can be reverted; not βmanual fiddling.β
-
Add a periodic compliance check (ci job or cron) that alerts if a host firewall differs from the repo version.
Or an agent
The Sh1re (Nginx Reverse Proxy)
/ | \
/ | \
HTTPS Logs TLS Term
\ | /
\ | /
v v v
+-----------------------------------+
| Internal Hardware Wall |
| (default drop, allow 80/443) |
+-----------------------------------+
|
| (exception for TD only)
v
+-----------------------------------+
| TransferDepot Host |
|-----------------------------------|
| Software Firewall Rules (Git) |
| - Allow :8080 only from Sh1re |
| - Drop everything else |
|-----------------------------------|
| Flask / Gunicorn / App |
+-----------------------------------+
|
v
Users get files, safely π
What this drawing says in basic terms:
- Outer wall (Sh1re) β Big logs, HTTPS, shiny locks.
- Middle wall (Local hardware) β Grunts βno one passes!β except those blessed by Sh1re.
- Inner wall (software firewall, versioned) β Your βapp caveβ has its own rules, carved in Git stone so no one can wipe them away.
Β
- Log in to post comments