From 5bc11891f514f70ee64e971b64b2ce33f8bccf95 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Wed, 8 Jun 2022 18:15:38 +0200 Subject: [PATCH] Update internal docs with protocol usage --- docs/acls.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/acls.md b/docs/acls.md index 5ff5e43..d69ed8f 100644 --- a/docs/acls.md +++ b/docs/acls.md @@ -93,10 +93,11 @@ Here are the ACL's to implement the same permissions as above: ] }, - // admin have only access to administrative ports of the servers + // admin have only access to administrative ports of the servers, in tcp/22 { "action": "accept", "src": ["group:admin"], + "proto": "tcp", "dst": [ "tag:prod-databases:22", "tag:prod-app-servers:22", @@ -106,6 +107,20 @@ Here are the ACL's to implement the same permissions as above: ] }, + // we also allow admin to ping the servers + { + "action": "accept", + "src": ["group:admin"], + "proto": "icmp", + "dst": [ + "tag:prod-databases:*", + "tag:prod-app-servers:*", + "tag:internal:*", + "tag:dev-databases:*", + "tag:dev-app-servers:*" + ] + }, + // developers have access to databases servers and application servers on all ports // they can only view the applications servers in prod and have no access to databases servers in production { @@ -128,11 +143,12 @@ Here are the ACL's to implement the same permissions as above: "dst": ["10.20.0.0/16:443,5432", "router.internal:0"] }, - // servers should be able to talk to database. Database should not be able to initiate connections to + // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to // applications servers { "action": "accept", "src": ["tag:dev-app-servers"], + "proto": "tcp", "dst": ["tag:dev-databases:5432"] }, {