matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-03-20. You can view files and clone it, but cannot push or open issues or pull requests.
3ee9c5d1e3
sonic-buildimage/files/image_config
History
Joe LeVeque 3ee9c5d1e3 [caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412) 
Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
2020-06-09 04:21:27 +00:00
..
apt [baseimage]: Download picocom version 3.1-2 from stretch-backports; No longer build from source (#1946) 2018-08-17 17:38:20 -07:00
asn [BGPD]: add bgp dynamic neighbor configuration (#708) 2017-06-21 18:52:50 -07:00
bash [baseimage]: Increase TMOUT for serial port connections to 15 minutes (#3032) 2019-06-19 19:07:36 +00:00
caclmgrd [caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412) 2020-06-09 04:21:27 +00:00
corefile_uploader corefile uploader: Updates per review comments offline (#3915) 2020-01-06 21:03:40 +00:00
cron.d [core_cleanup] Fix issue where core_cleanup job runs too frequently (#3659) 2019-10-24 17:04:16 +00:00
ebtables [ebtables] install ebtables in base image and install filter rules 2019-05-06 22:13:03 +00:00
environment [image]: Update login message (#706) 2017-06-14 15:18:02 -07:00
hostcfgd [hostcfgd] avoid in place editing config file contents (#3904) 2019-12-14 03:27:39 +00:00
hostname [hostname-config] improve hostname-config process (#3676) 2019-10-29 15:42:23 +00:00
interfaces [201811] [interfaces-config.sh] Flush the loopback interface addresses (#4234) 2020-03-09 16:14:59 -07:00
logrotate [logrotate] Enhance robustness (#2942) 2019-05-29 00:53:13 +00:00
monit [Monit] Delay start of monitoring for 5 minutes (#4281) 2020-03-19 22:49:04 +00:00
ntp [ntp] enable/disable NTP long jump according to reboot type (#4582) 2020-05-12 12:23:47 -07:00
platform [aboot]: preserve snmp.yml and acl.json for eos to sonic fast reboot (#3716) 2019-11-07 21:40:20 +00:00
process-reboot-cause [process-reboot-cause] If software reboot cause is unknown add note if first boot into new image (#4538) 2020-05-08 20:37:22 +00:00
rsyslog [rsyslog] Suppress duplicate messages from base image and all Docker containers (#2497) 2020-04-02 21:42:01 +00:00
snmp Remove extra trailing newlines at EOF (#804) 2017-07-12 20:54:37 -07:00
sudoers [sudoers] Add /usr/bin/teamshow to READ_ONLY_CMDS (#2846) 2019-05-01 15:51:13 +00:00
systemd [services] Restart SwSS service upon unexpected critical process exit (#2845) (#2852) 2019-07-29 18:10:26 -07:00
updategraph [pfcwd]: Do not start pfc watchdog on Management Tor (#3719) 2019-11-07 21:41:32 +00:00
warmboot-finalizer [control plane assistant] stop control plane assistant after warm reboot (#3337) 2019-08-15 20:28:42 +00:00
watchdog-control Correct the watch-control service to call the right script (#3906) 2019-12-14 09:42:36 -08:00