Merge pull request #1727 from ministryofjustice/MLPAB-2802-enable-dro…

…pping-of-requests-not-covered-by-allowlist MLPAB-2802 - drop traffic that is not in the allowlist
ministryofjustice · Jan 17, 2025 · 12d07aa · 12d07aa
2 parents 814cb08 + 3fe0b3a
commit 12d07aa
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/terraform/account/network_firewall_rules.rules b/terraform/account/network_firewall_rules.rules
@@ -1,4 +1,3 @@
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazon.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:20; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".lpa-store.api.opg.service.justice.gov.uk"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:30; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".lpa-uid.api.opg.service.justice.gov.uk"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:40; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"api.notifications.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:50; rev:1;)
@@ -10,7 +9,6 @@ pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"integration.lp
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"oidc.integration.account.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:110; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"identity.integration.account.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:120; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"publicapi.payments.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:130; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; dotprefix; content:".amazon.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:140; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; dotprefix; content:".lpa-store.api.opg.service.justice.gov.uk"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:150; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; dotprefix; content:".lpa-uid.api.opg.service.justice.gov.uk"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:160; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"api.notifications.service.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:170; rev:1;)
@@ -20,5 +18,5 @@ pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; co
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"oidc.integration.account.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:210; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"identity.integration.account.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:220; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"publicapi.payments.service.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:230; rev:1;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:240; rev:1;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; ssl_state:client_hello; flow:to_server, established; sid:250; rev:1;)
+drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:240; rev:1;)
+drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; ssl_state:client_hello; flow:to_server, established; sid:250; rev:1;)