From 01fda5d7283cfdf9e3ed71766d223e75fe11e018 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 14 Jan 2025 18:10:53 +0000
Subject: [PATCH] use tls rules to make an allow list

---
 .../account/network_firewall_rules.rules      | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/terraform/account/network_firewall_rules.rules b/terraform/account/network_firewall_rules.rules
index eaa4ebe37d..11f5144c80 100644
--- a/terraform/account/network_firewall_rules.rules
+++ b/terraform/account/network_firewall_rules.rules
@@ -1,11 +1,11 @@
-alert tcp any any -> any any (msg:"Routing is symmetric. You can safely remove this test rule."; flow:established; sid:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazon.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"api.notifications.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"api.os.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:4; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"current.cvd.clamav.net"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:5; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"database.clamav.net"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:6; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"development.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:7; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"integration.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:8; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"oidc.integration.account.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:9; rev:1;)
-pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"publicapi.payments.service.gov.uk"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:10; rev:1;)
-drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"Drop HTTP traffic"; priority:1; sid:102123; rev:1;)
+alert tcp any any -> any any (msg:"Routing is symmetric. You can safely remove this test rule."; flow:established; sid:10;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; dotprefix; content:".amazon.com"; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:20; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"api.notifications.service.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:30; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"api.os.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:40; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"current.cvd.clamav.net"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:50; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"database.clamav.net"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:60; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"development.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:70; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"integration.lpa-uid.api.opg.service.justice.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:80; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"oidc.integration.account.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:90; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"publicapi.payments.service.gov.uk"; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:100; rev:1;)
+drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; ssl_state:client_hello; flow:to_server, established; sid:110; rev:1;)