8
submitted 1 year ago by nap6@lemmy.world to c/devops@programming.dev

Hoping you folks might be able to point me to the right things to Google.

Our project has developed a very "business lead" (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace.

The basic requirements are as follows:

  • Default blocking for certain CIDRs.
  • Exceptions for certain IP/Host and port combos within those CIDRs.
  • Authentication and authorisation to use said exceptions (i.e. user tracking).
  • Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.
  • All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

The security aspect of this is fairly minimal as it's mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar.

Am I missing an obvious solution here, a forward proxy of some sort, any "light" firewalls that don't require a whole separate AMI?

Thanks in advance!

[-] nap6@lemmy.world 2 points 1 year ago

I don't think anyone is forcing anything on anyone? It just sounds like people like you and others in this thread want a more curated instance WRT federation, which I don't think lemmy.world was designed to be (though I'm absolutely keen to be corrected if I've missed something in their policies).

That's the freedom of this platform right, being able to move around to communities that better suit the individual 🤷‍♂️ Not trying to flame and argument my friend, just sounds like there's a more obvious answer.

[-] nap6@lemmy.world 1 points 1 year ago

I feel like this is entirely against Lemmy.world's ethos of "a general-purpose Lemmy instance of various topics, for the entire world to use" (emphasis mine). I for one joined this instance exactly because they didn't have a ban-happy federation policy like some of the other big ones. I understand people's concerns, but if you want a "fuck corporations" walled garden instance, I feel like there are better homes for you somewhere else...

nap6

joined 1 year ago