Restrict SNMP to internal network

Add a parameter, SnmpdIpSubnet, which can be an IP/MASK that will be used to secure with IPtables the source network authorized to reach SNMP service on the host. If SnmpdIpSubnet is left empty (default) the parameter will be set to SnmpdNetwork. Also change the IPtables id, 127 was used by Horizon, so let's switch SNMP to 124. No impact on users. Change-Id: I46fce28926cb5a881f7384948480266712ae75e3 Closes-Bug: #1749324
2018-02-14 08:35:10 -08:00 · 2018-02-14 08:35:10 -08:00 · 43155ed146
commit 43155ed146
parent 7b8e0b7d72
3 changed files with 26 additions and 1 deletions
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@ -65,6 +65,7 @@ parameters:
      RedisNetwork: internal_api
      GaneshaNetwork: storage_nfs
      MysqlNetwork: internal_api
+      SnmpdNetwork: internal_api
      CephClusterNetwork: storage_mgmt
      CephMonNetwork: storage
      CephRgwNetwork: storage
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@ -48,6 +48,13 @@ parameters:
    description: A string containing the commandline options passed to snmpd
    type: string
    default: '-LS0-5d'
+  SnmpdIpSubnet:
+    default: ''
+    description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
+                 will be taken.
+    type: string
+conditions:
+  snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}

 outputs:
  role_data:
@ -59,10 +66,20 @@ outputs:
        tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
        snmp::agentaddress: {get_param: SnmpdBindHost}
        snmp::snmpd_options: {get_param: SnmpdOptions}
+        snmpd_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
        tripleo.snmp.firewall_rules:
-          '127 snmp':
+          '124 snmp':
            dport: 161
            proto: 'udp'
+            source:
+              if:
+              - snmpd_network_unset
+              - "%{hiera('snmpd_network')}"
+              - {get_param: SnmpdIpSubnet}
      step_config: |
        include ::tripleo::profile::base::snmp
      upgrade_tasks:
--- a/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
+++ b/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Change the IPtables rule for SNMP service and open 161 udp port on
+    SnmpdIpSubnet parameter instead of 0.0.0.0/0.
+    If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.
+