From 1c7086321851cfc1351b43a44ba72d86818882da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Tue, 17 Dec 2024 12:24:15 -0500
Subject: [PATCH] Add firewall rule to block access to metadata server

---
 site/profile/manifests/firewall.pp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/site/profile/manifests/firewall.pp b/site/profile/manifests/firewall.pp
index e381d67bc..b91b9275e 100644
--- a/site/profile/manifests/firewall.pp
+++ b/site/profile/manifests/firewall.pp
@@ -4,4 +4,11 @@
     out_all        => true,
     noflush_tables => ['inet-f2b-table'],
   }
+
+  # Do not let user get access to cloud-init metadata server as it could
+  # include sensitive information.
+  nftables::rule { 'default_out-drop_metadata':
+    content => 'ip daddr 169.254.169.254 skuid != 0 drop comment "Drop metadata server"',
+    order   => '89',
+  }
 }