diff --git a/docs/acls.md b/docs/acls.md index 5ff5e433..d69ed8fb 100644 --- a/docs/acls.md +++ b/docs/acls.md @@ -93,10 +93,11 @@ Here are the ACL's to implement the same permissions as above: ] }, - // admin have only access to administrative ports of the servers + // admin have only access to administrative ports of the servers, in tcp/22 { "action": "accept", "src": ["group:admin"], + "proto": "tcp", "dst": [ "tag:prod-databases:22", "tag:prod-app-servers:22", @@ -106,6 +107,20 @@ Here are the ACL's to implement the same permissions as above: ] }, + // we also allow admin to ping the servers + { + "action": "accept", + "src": ["group:admin"], + "proto": "icmp", + "dst": [ + "tag:prod-databases:*", + "tag:prod-app-servers:*", + "tag:internal:*", + "tag:dev-databases:*", + "tag:dev-app-servers:*" + ] + }, + // developers have access to databases servers and application servers on all ports // they can only view the applications servers in prod and have no access to databases servers in production { @@ -128,11 +143,12 @@ Here are the ACL's to implement the same permissions as above: "dst": ["10.20.0.0/16:443,5432", "router.internal:0"] }, - // servers should be able to talk to database. Database should not be able to initiate connections to + // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to // applications servers { "action": "accept", "src": ["tag:dev-app-servers"], + "proto": "tcp", "dst": ["tag:dev-databases:5432"] }, {