From a699d6c39f31195cffb405fb705acf864c356d84 Mon Sep 17 00:00:00 2001 From: Darragh O'Reilly Date: Tue, 9 Jun 2020 09:58:17 +0100 Subject: [PATCH] provisioner: allow tftp access from admin network only (bsc#1019111) The tftp server is for hosts on the admin network only. But it can be accessed from outside if the admin network is routable. This patch adds an iptables rule to prevent access from outside the admin network. --- chef/cookbooks/provisioner/recipes/setup_base_images.rb | 3 ++- chef/cookbooks/provisioner/templates/default/tftp.service.erb | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/chef/cookbooks/provisioner/recipes/setup_base_images.rb b/chef/cookbooks/provisioner/recipes/setup_base_images.rb index bf654d8115..32fa180f15 100644 --- a/chef/cookbooks/provisioner/recipes/setup_base_images.rb +++ b/chef/cookbooks/provisioner/recipes/setup_base_images.rb @@ -299,7 +299,8 @@ owner "root" group "root" mode "0644" - variables(tftproot: tftproot, admin_ip: admin_ip) + variables(tftproot: tftproot, admin_ip: admin_ip, + admin_subnet: admin_net.subnet, admin_netmask: admin_net.netmask) end service "tftp.service" do diff --git a/chef/cookbooks/provisioner/templates/default/tftp.service.erb b/chef/cookbooks/provisioner/templates/default/tftp.service.erb index 0488b5ce96..d5fd8926f0 100644 --- a/chef/cookbooks/provisioner/templates/default/tftp.service.erb +++ b/chef/cookbooks/provisioner/templates/default/tftp.service.erb @@ -3,5 +3,7 @@ Description=Tftp Server [Service] Type=simple +ExecStartPre=/usr/sbin/iptables -A INPUT -d <%= @admin_ip %> ! -s <%= @admin_subnet %>/<%= @admin_netmask %> -p udp -m udp --dport 69 -j DROP ExecStart=/usr/sbin/in.tftpd -u tftp -s <%= @tftproot %> -m /etc/tftpd.conf -L -a <%= @admin_ip %> -B 1024 -v +ExecStopPost=/usr/sbin/iptables -D INPUT -d <%= @admin_ip %> ! -s <%= @admin_subnet %>/<%= @admin_netmask %> -p udp -m udp --dport 69 -j DROP Restart=on-failure