I have created the AWS network firewall lab, but I found my rules are not effective.
I want to allow EC2 can only access ubuntu.com and github.com via HTTPS and SSH only, and drop other outbound connections
Here are the rules: I can access any website, so looks like rule #3 is not effective, also I didn't test SSH yet.
$EXTERNAL_NET: 0.0.0.0/0
$HOME_NET: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host ; dotprefix; content:".ubuntu.com "; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host ; dotprefix; content:".github.com "; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:2; flow:to_server, established; sid:2; rev:1;)
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"this is a stateful drop rule"; sid:1234;)
Result: All web page is accessible. so the #3 rule: drop http is not working
If I change the #3 rule from drop http to drop ip, all the website is not accessible including the white-listed domain ubuntu.com and github.com
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host ; dotprefix; content:".ubuntu.com "; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host ; dotprefix; content:".github.com "; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:2; flow:to_server, established; sid:2; rev:1;)
drop ip $HOME_NET any -> $EXTERNAL_NET any (msg:"this is a stateful drop rule"; sid:1234;)
