Skip to content

Fix/613 default network policy#630

Open
ionfwsrijan wants to merge 2 commits into
utksh1:mainfrom
ionfwsrijan:fix/613-default-network-policy
Open

Fix/613 default network policy#630
ionfwsrijan wants to merge 2 commits into
utksh1:mainfrom
ionfwsrijan:fix/613-default-network-policy

Conversation

@ionfwsrijan
Copy link
Copy Markdown
Contributor

@ionfwsrijan ionfwsrijan commented Jun 6, 2026

Description

settings.network_allowlist defaults to [] (empty list). When the allowlist is empty, _init_default_policies() automatically adds 0.0.0.0/0 and ::/0 as "Default allow all" rules. This means every network connection from any scanner to any public internet host is permitted unless the operator explicitly sets SECUSCAN_NETWORK_ALLOWLIST. The deny-by-default security model is illusory.

Fix: remove the default allow-all rules. An empty allowlist now means deny-all egress. Operators must explicitly configure SECUSCAN_NETWORK_ALLOWLIST to permit outbound traffic.

Related Issues

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

How Has This Been Tested?

Verified that _init_default_policies no longer adds 0.0.0.0/0 or ::/0 when network_allowlist is empty. The denylist (RFC 1918, cloud metadata) continues to be applied as before.

Checklist

  • My code follows the code style of this project.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • My changes generate no new warnings.

@ionfwsrijan
fix: default-deny network policy when allowlist is empty
2ac88f2 
Previously, an empty SECUSCAN_NETWORK_ALLOWLIST caused
_init_default_policies() to automatically add 0.0.0.0/0 and ::/0 as
allow-all rules, making the network policy enforcement illusory.

Now, an empty allowlist means deny-all egress. Only explicitly listed
CIDRs in the allowlist are permitted. The denylist continues to block
RFC 1918 private addresses and cloud metadata IPs.

Fixes utksh1#613
@ionfwsrijan ionfwsrijan force-pushed the fix/613-default-network-policy branch from dfb1167 to 0314185 Compare June 6, 2026 08:12
@ionfwsrijan ionfwsrijan force-pushed the fix/613-default-network-policy branch from 0314185 to 8f73371 Compare June 6, 2026 08:31
@ionfwsrijan
Copy link
Copy Markdown
Contributor Author

ionfwsrijan commented Jun 6, 2026

@utksh1 You may review and merge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ionfwsrijan