Add firewall rule to block access to metadata server

ComputeCanada · Dec 17, 2024 · 1c70863 · 1c70863
1 parent ae05b97
commit 1c70863
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/site/profile/manifests/firewall.pp b/site/profile/manifests/firewall.pp
@@ -4,4 +4,11 @@
     out_all        => true,
     noflush_tables => ['inet-f2b-table'],
   }
+
+  # Do not let user get access to cloud-init metadata server as it could
+  # include sensitive information.
+  nftables::rule { 'default_out-drop_metadata':
+    content => 'ip daddr 169.254.169.254 skuid != 0 drop comment "Drop metadata server"',
+    order   => '89',
+  }
 }