You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 lines
1.4 KiB
Bash
52 lines
1.4 KiB
Bash
4 years ago
|
#!/usr/bin/env bash
|
||
|
# vim:ts=4:sts=4:sw=4:et
|
||
|
#
|
||
|
# Author: Hari Sekhon
|
||
|
# Date: 2021-02-05 14:48:56 +0000 (Fri, 05 Feb 2021)
|
||
|
#
|
||
|
# https://github.com/HariSekhon/bash-tools
|
||
|
#
|
||
|
# License: see accompanying Hari Sekhon LICENSE file
|
||
|
#
|
||
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
||
|
#
|
||
|
# https://www.linkedin.com/in/HariSekhon
|
||
|
#
|
||
|
|
||
|
set -euo pipefail
|
||
|
[ -n "${DEBUG:-}" ] && set -x
|
||
|
srcdir="$(dirname "${BASH_SOURCE[0]}")"
|
||
|
|
||
|
# shellcheck disable=SC1090
|
||
|
. "$srcdir/lib/utils.sh"
|
||
|
|
||
|
# shellcheck disable=SC2034,SC2154
|
||
|
usage_description="
|
||
|
Lists all risky GCP Firewall rules enabled in the current project that are open with source range 0.0.0.0/0 (whole internet can pass through)
|
||
|
|
||
|
Such rules should be rare, eg:
|
||
|
|
||
|
- your public website (and even then only if not using full Cloudflare Proxied protection)
|
||
|
|
||
|
- GKE ingress generated GCP firewall rules (too open by default)
|
||
|
- to lock them down see my adjacent Kubernetes-templates repo's service.yaml:
|
||
|
|
||
|
https://github.com/HariSekhon/Kubernetes-templates/blob/master/service.yaml
|
||
|
"
|
||
|
|
||
|
# used by usage() in lib/utils.sh
|
||
|
# shellcheck disable=SC2034
|
||
|
usage_args="<project_id>"
|
||
|
|
||
|
help_usage "$@"
|
||
|
|
||
|
max_args 1 "$@"
|
||
|
|
||
|
opts=()
|
||
|
if [ -n "${1:-}" ]; then
|
||
|
opts+=(--project "$1")
|
||
|
fi
|
||
|
|
||
|
gcloud compute firewall-rules list --format='table[no-heading](name,source_ranges)' --filter='disabled=false' "${opts[@]}" |
|
||
|
{ grep "'0.0.0.0/0'" || : ; }
|