Some security policies require that ICMP is disabled. ICMP enables tools such as
Here we demonstrate how to achieve this by recruiting Juju’s hook-tools.
Background knowledge: Introducing
Juju has the ability to execute commands on your behalf via
juju run. They can be run in the context of a machine, an application or a unit.
For example, to retrieve the hostname for each of your model’s machines, we can run
hostname on each of them:
juju run --all -- hostname
On a model with 4 machines, Juju generates the following YAML-formatted output:
- MachineId: "0" Stdout: | juju-0c2f53-0 - MachineId: "1" Stdout: | juju-0c2f53-1 - MachineId: "2" Stdout: | juju-0c2f53-2 - MachineId: "3" Stdout: | juju-0c2f53-3
List units of the model
For our purposes we want to run in the context of a unit rather than a machine. With some bash we can retrieve a list of units from Juju:
juju status --format=short | cut -d' ' -f2 | cut -d':' -f1 -s
For my model, here is the output:
pg-a/0 pg-b/0 pg-b/1 wordpress/0
Make use of the
close-port hook tool
close-port hook-tool is used to declare that ports on a unit’s machine should be closed. Juju’s firewaller worker watches for these declarations and makes changes to firewall rules or security groups based on the particular cloud provider implementation.
Let’s start by execute the
close-port command for a single unit:
juju run --unit=pg-a/0 -- close-port icmp
This executes silently when it’s successful.
We can combine the output from the command in step 1 to close the
icmp protocol across all of our units with
juju status --format=short \ | cut -d' ' -f2 \ | cut -d':' -f1 -s \ | xargs -I@ juju run --unit @ close-port icmp
juju machines to get the public IP addresses of the machines in your model:
Your output might look similar to this:
Machine State DNS Inst id Series AZ Message 0 started 10.129.244.130 juju-0c2f53-0 trusty Running 1 started 10.129.244.235 juju-0c2f53-1 bionic Running 2 started 10.129.244.32 juju-0c2f53-2 bionic Running 3 started 10.129.244.44 juju-0c2f53-3 bionic Running
Now try pinging one of those machines:
ping -w 20 10.129.244.130
The command should eventually timeout after 20 seconds with something like this:
PING 10.129.224.130 (10.129.224.130) 56(84) bytes of data. --- 10.129.224.130 ping statistics --- 20 packets transmitted, 0 received, 100% packet loss, time 543ms