Google Compute Network Using Firewall Rule that Allows Port Range
- Query id: 7289eebd-a477-4064-8ad4-3c044bd70b00
- Query name: Google Compute Network Using Firewall Rule that Allows Port Range
- Platform: Ansible
- Severity: Low
- Category: Networking and Firewall
- CWE: 285
- URL: Github
Description¶
Google Compute Network should not use a firewall rule that allows port range
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: create a firewall2
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '20-1000'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
network: "{{ my_network2 }}"
- name: create a network2
google.cloud.gcp_compute_network:
name: test_object
auto_create_subnetworks: 'true'
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
register: my_network2
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create a firewall
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
network: "{{ my_network }}"
- name: create a network
google.cloud.gcp_compute_network:
name: test_object
auto_create_subnetworks: 'true'
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
register: my_network