UNPKG

raindancers-network

Version:

Extensions to the ec2.Vpc Constructs

github.com/raindancers/raindancers-network.raindancers-cdk

raindancers/raindancers-network.raindancers-cdk

102 lines (87 loc) 3.24 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
import * as cdk from 'aws-cdk-lib'; import { Construct } from 'constructs'; // import * as sqs from 'aws-cdk-lib/aws-sqs'; import * as network from '../../kapua-network'; export class FwconstructtestStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); const fwrulesDatabase = new network.StatefulRuleDatabase(this, 'firewallrulesdb'); const policy = new network.FirewallPolicy(this, 'firewallpolicy', { policyName: 'testpolicy', statelessDefaultActions: [network.StatelessActions.DROP], statelessFragmentDefaultActions: [network.StatelessActions.DROP], }); const httpsAllowed = new network.StatelessRule({ actions: [network.StatelessActions.STATEFUL], priority: 100, destinationPorts: ['443'], destinations: [{ addressDefinition: '0.0.0.0/0' }], // this needs to be much better! protocols: [network.Protocol.TCP], sources: [{ addressDefinition: '10.16.0.0/14' }], }); const icmpAllowed = new network.StatelessRule({ actions: [network.StatelessActions.PASS], priority: 200, destinations: [{ addressDefinition: '0.0.0.0/0' }], // this needs to be much better! protocols: [network.Protocol.ICMP], sources: [{ addressDefinition: '10.16.0.0/14' }], }); policy.addStatelessRuleGroup({ groupName: 'PassToStateful', description: 'Standard Ports and Protocols which are allow to pass', rules: [ httpsAllowed.statelessRuleProperty, icmpAllowed.statelessRuleProperty, ], }); policy.addManagedStatefulRules({ awsManagedRules: [ network.ManagedAwsFirewallRules.ABUSED_LEGIT_BOTNET_COMMAND_AND_CONTROL_DOMAINS_ACTION_ORDER, network.ManagedAwsFirewallRules.BOTNET_COMMAND_AND_CONTROL_DOMAINS_ACTION_ORDER, ], }); const evilcomhttp = new network.FQDNStatefulRule(this, 'evilcomhttp', { action: network.StatefulAction.PASS, protocol: network.FWProtocol.HTTP, source: { addressSet: '10.10.10.0/24', }, destination: { addressSet: '0.0.0.0/0', }, srcPort: { portSet: 'any' }, // this is a bit silly destPort: { portSet: 'any' }, // this is a bit silly direction: network.Direction.OUTBOUND, fqdn: 'evil.com', rulesDatabase: fwrulesDatabase, }); const evilcomtls = new network.FQDNStatefulRule(this, 'evilcomhttps', { action: network.StatefulAction.PASS, protocol: network.FWProtocol.TLS, source: { addressSet: '10.10.10.0/24', }, destination: { addressSet: '0.0.0.0/0', }, srcPort: { portSet: 'any' }, destPort: { portSet: 'any' }, direction: network.Direction.OUTBOUND, fqdn: 'evil.com', rulesDatabase: fwrulesDatabase, }); new network.SuricataRuleGroup(this, 'mytestrules', { ruleGroupName: 'testrules', rulesDatabase: fwrulesDatabase, capacity: 1000, description: 'testing the suricata rules', suricataRules: [ evilcomhttp, evilcomtls, ], }); } } const app = new cdk.App(); new FwconstructtestStack(app, 'Teststack', {}); app.synth();