Skip to content

The firewall has an outbound rule with open access

Default Severity: critical

Explanation

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Possible Impact

The port is exposed for ingress from the internet

Suggested Resolution

Set a more restrictive cidr range

Insecure Example

The following example will fail the digitalocean-compute-no-public-egress check.

 resource "digitalocean_firewall" "bad_example" {
    name = "only-22-80-and-443"

    droplet_ids = [digitalocean_droplet.web.id]

    outbound_rule {
      protocol         = "tcp"
      port_range       = "22"
      destination_addresses = ["0.0.0.0/0", "::/0"]
    }
 }

Secure Example

The following example will pass the digitalocean-compute-no-public-egress check.

 resource "digitalocean_firewall" "good_example" {
    name = "only-22-80-and-443"

    droplet_ids = [digitalocean_droplet.web.id]

    outbound_rule {
      protocol         = "tcp"
      port_range       = "22"
      destination_addresses = ["192.168.1.0/24", "fc00::/7"]
    }
 }