receptor: firewalling control service

Hi list,

my receptor service on the execution nodes show the following log lines from time to time:

WARNING 2022/10/12 15:49:35 Received unreachable message from hybrid01.example.com

Looking through receptor’s source code it looks like this message is caused because a message to the controller is firewalled by receptor itself. That’s reasonable because my receptor.conf on the hybrid node has the following:

• node:
  id: hybrid01.example.com
  firewallrules:
• action: “reject”
  tonode: “hybrid01.example.com”
  toservice: “control”

I copied this from RedHat’s Automation Controller configuration. But now I’m asking why. Why should it be necessary (or good practice) to protect the control service from the execution nodes? Has anyone an explanation?

Thanks
Stefan

great question

hybrid nodes need to be able to access execution node control services (to do “work submit” commands for example), but not vice versa. The firewall is in place for security reasons (imagine someone who only has ssh access to execution node, but not the hybrid node. We don’t want them to be able to DDOS or run arbitrary commands against the hybrid node)

The execution node won’t be targeting the control service at all, so this unreachable message is due to something else.

I have noticed these warning messages before. They seem to be mostly benign, but they do add noise the receptor logs. I’d like to address this so I opened this issue to track https://github.com/ansible/awx/issues/13067