Default Model SG Rules

[Michael Nelson]

On Sat, Jan 28, 2017 at 4:34 AM James Beedy <jamesbeedy at gmail.com> wrote:

> A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm
> guessing this is because we are trying to facilitate the use case for juju
> deployed on a public cloud, and instances being ssh accessed from the
> internet and not from behind VPN in the same address space.
>
> A functionality which would allow users who don't want ssh open to the
> world to close it, either completely, or limit to a private address space,
> would be very helpful (especially because Juju reverts any changes made to
> the SG,
>

I created a bug about that a while back:

https://bugs.launchpad.net/juju-core/+bug/1420996

As per the last change there, it was targeted for 2.1.0 until just recently.



> so I couldn't even lock down port 22 if I wanted to).
>
> Is it possible to introduce a model config param that we could use to tell
> juju where to allow ssh traffic from?
>

Again, an older bug, but I'd be keen to see that not just for 22/ssh, but
in general when exposing services:

https://bugs.launchpad.net/bugs/1401358

but that may not fit the new juju2 models since the bug was written.


>
> Quick fix: Introduce an 'ssh-allow' param that could be used to open and
> close port 22 on the SG generated for the model?
>
> Better fix: Introduce a config param 'ssh-access', where default value is
> 0.0.0.0/0, which could then be modified to an address space that fits the
> users security needs.
>
> How do others feel about this?
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20170129/dce2828e/attachment.html>