Skip to content

[REVIEW] firewall-review: add cloud implicit-rule and IPv6 evidence #220

Description

@mlodygbelmondo

Skill Being Reviewed

Skill name: firewall-review
Skill path: skills/network/firewall-review/

False Positive Analysis

Benign AWS security group that can be over-reported if a traditional explicit deny-all rule is required:

resource "aws_security_group" "api" {
  name   = "api-prod"
  vpc_id = aws_vpc.prod.id

  ingress {
    protocol    = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["203.0.113.0/24"]
  }

  egress {
    protocol    = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["198.51.100.10/32"]
  }
}

Why this can be misleading:

The skill says every rule base must terminate with an explicit deny-all rule and lists absence of explicit default deny as Critical. That is a good model for ordered packet filters such as iptables, pf, Cisco ACLs, and many firewall policies, but AWS security groups are stateful allow lists and do not support explicit deny rules. A restrictive AWS security group can be safe even though it has no terminal deny line. The review should evaluate the platform's implicit behavior instead of applying a traditional first-match rule-base model to every firewall type.

The inverse can also happen in Azure and Google Cloud: a configuration can contain a deny-all default or implied ingress deny while earlier default/implicit rules still allow broad outbound internet or same-VNet traffic. A report that only records "default deny present" can overstate effective restriction.

Coverage Gaps

Missed variant 1: Azure NSG default rules are not evaluated as effective policy

NSG default rules:
  AllowVnetInBound
  AllowAzureLoadBalancerInBound
  DenyAllInBound
  AllowVnetOutBound
  AllowInternetOutBound
  DenyAllOutBound

Naive result:
  outbound default deny exists -> Pass

Effective result:
  internet outbound is allowed by a higher-priority default rule unless explicitly denied

Why it should be caught:

Azure NSGs contain default security rules with priorities. The existence of DenyAllOutBound does not prove outbound default deny if AllowInternetOutBound and AllowVnetOutBound remain effective. The report needs an effective-rule evaluation that includes platform default rules, priority, direction, and association scope.

Missed variant 2: GCP implied egress allow and IPv6 implied rules are not first-class evidence

GCP VPC:
  explicit firewall rules: none
  IPv4 implied ingress: deny 0.0.0.0/0
  IPv4 implied egress: allow 0.0.0.0/0
  IPv6 enabled: yes
  IPv6 implied ingress/egress rules: not reviewed

Why it should be caught:

Google Cloud VPC networks have implied allow egress and deny ingress rules, and IPv6-enabled networks have corresponding IPv6 implied rules. A source review that checks only explicit firewall resources can miss the effective allow-egress posture or fail to review ::/0 paths.

Missed variant 3: IPv4-only findings can miss dual-stack exposure

resource "aws_security_group" "web" {
  ingress {
    protocol    = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["10.0.0.0/8"]
  }

  ingress {
    protocol         = "tcp"
    from_port        = 443
    to_port          = 443
    ipv6_cidr_blocks = ["::/0"]
  }
}

Why it should be caught:

The skill lists ignoring IPv6 as a pitfall, but the output format does not require an IPv4/IPv6 coverage matrix or a dual-stack effective exposure result. A rule can look restricted in IPv4 while permitting global IPv6 access.

Missed variant 4: cloud association scope can make a clean rule set non-enforcing

Reviewed:
  restrictive Azure NSG rules

Missing:
  NSG association to subnet or NIC
  NIC-level NSG that overrides/combines with subnet policy
  effective security rules export
  target resources actually attached to the NSG

Why it should be caught:

Cloud firewall policy is not only rule text. Security groups, NSGs, NACLs, hierarchical policies, and VPC firewall rules apply at different resource scopes. A restrictive rule set that is not associated with the intended resource should not be marked as passing, and a permissive inherited/default policy should not be missed.

Edge Cases

  • AWS security groups are stateful allow lists; network ACLs are stateless ordered rules. The report should not apply the same shadowing/default-deny model to both.
  • Azure evaluates NSG rules by priority and includes default rules; subnet and NIC associations both matter.
  • GCP VPC firewall rules have implied ingress/egress rules and can also be affected by hierarchical firewall policies.
  • IPv6 can be enabled later or through managed platform defaults; reports should record whether IPv6 is disabled, unsupported, or reviewed.
  • Hit counters and flow logs may be unavailable from IaC alone; unused-rule findings should include counter baseline time or flow-log evidence.

Remediation Quality

  • Fix resolves the vulnerability
  • Fix doesn't introduce new security issues
  • Fix doesn't break functionality
  • Issues found: Add platform-specific effective-policy evidence for AWS security groups/NACLs, Azure NSGs, and GCP VPC firewalls. Require implicit/default rules, priority/order, association scope, IPv4/IPv6 coverage, stateful/stateless semantics, and source-only confidence before marking default-deny, egress, shadowing, or exposure findings as pass/fail.

Comparison to Other Tools

Tool / Framework Catches this? Notes
AWS security group review Partial Shows allow-list egress/ingress and stateful behavior, but no explicit deny rules exist.
Azure effective security rules Yes Captures default rules, priority, subnet/NIC association, and effective allow/deny state.
GCP firewall policy review Partial Shows implied and hierarchical firewall behavior when the reviewer includes network-level and policy-level evidence.
Traditional firewall rule analyzers Partial Good for ordered rule bases and shadowing, but can mis-score cloud-native stateful/implicit models.
Flow logs / hit counters Partial Helps validate unused and effective traffic, but needs baseline timestamp and scope.

Overall Assessment

Strengths:

  • Strong traditional firewall audit workflow for default deny, any/any rules, shadowing, logging, egress filtering, and stale rules.
  • Good NIST SP 800-41 and CIS Controls v8 framing.
  • Useful pitfalls for cloud security groups, IPv6, hit counters, and AWS NACL versus security group differences.

Needs improvement:

  • The output format should require platform-specific effective-policy evidence, not only rule text.
  • Default-deny checks should distinguish explicit terminal deny, implicit deny, implied allow, and unsupported deny semantics.
  • Cloud rule evaluation should include default/implicit rules, inherited or hierarchical policies, priority/order, and resource association scope.
  • IPv4 and IPv6 exposure should be reported separately.
  • Source-only reviews should use Not Evaluable or lower confidence for unused-rule, hit-count, and effective-policy conclusions.

Priority recommendations:

  1. Add a Platform Effective Policy section with platform, firewall type, stateful/stateless, ordered?, explicit deny supported?, implicit/default rules, resource association, IPv4 reviewed, IPv6 reviewed, source of effective rules, and confidence.
  2. Split default-deny output into Explicit terminal deny, Implicit deny, Implied allow, and Unsupported by platform rather than a single Pass/Fail field.
  3. Add cloud-specific checks for AWS security group versus NACL semantics, Azure NSG default rules/effective security rules, and GCP implied and hierarchical firewall rules.
  4. Add an IPv4/IPv6 exposure matrix for inbound and outbound findings, including 0.0.0.0/0 and ::/0.
  5. Add Not Evaluable from IaC Only outcomes for unused-rule findings, resource association gaps, hit-counter claims, and cloud effective-policy state when runtime exports are missing.

References

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method: To be provided privately after acceptance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions