[FIX] doc/deploy: add recommendations for firewall rules

In some situations it is important to protect the Odoo service from direct access from the internet, or to protect internal network resources from the Odoo server itself. This is heavily dependent on deployment requirements, and for standard installations on a public cloud system, this may not be necessary. Yet it seems useful to mention it in the deployment recommendations, as it may not be obvious to our users. Our thanks to Ameya Darshan for raising this concern! closes odoo/odoo#50422 X-original-commit: da0d9ef4 Signed-off-by: Paul Morelle <madprog@users.noreply.github.com>

[FIX] doc/deploy: add recommendations for firewall rules
4310ba32 · Olivier Dony · a35d8025 · 4310ba32
Commit 4310ba32 authored 4 years ago by Olivier Dony
--- a/doc/setup/deploy.rst
+++ b/doc/setup/deploy.rst
@@ -490,6 +490,28 @@ security-related topics:
  machines than the production ones. And apply the same security precautions as for
  production.

+- If your public-facing Odoo server has access to sensitive internal network resources
+  or services (e.g. via a private VLAN), implement appropriate firewall rules to
+  protect those internal resources. This will ensure that the Odoo server cannot
+  be used accidentally (or as a result of malicious user actions) to access or disrupt
+  those internal resources.
+  Typically this can be done by applying an outbound default DENY rule on the firewall,
+  then only explicitly authorizing access to internal resources that the Odoo server
+  needs to access.
+  `Systemd IP traffic access control <http://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html>`_
+  may also be useful to implement per-process network access control.
+
+- If your public-facing Odoo server is behind a Web Application Firewall, a load-balancer,
+  a transparent DDoS protection service (like CloudFlare) or a similar network-level
+  device, you may wish to avoid direct access to the Odoo system. It is generally
+  difficult to keep the endpoint IP addresses of your Odoo servers secret. For example
+  they can appear in web server logs when querying public systems, or in the headers
+  of emails posted from Odoo.
+  In such a situation you may want to configure your firewall so that the endpoints
+  are not accessible publicly except from the specific IP addresses of your WAF,
+  load-balancer or proxy service. Service providers like CloudFlare usually maintain
+  a public list of their IP address ranges for this purpose.
+
 - If you are hosting multiple customers, isolate customer data and files from each other
  using containers or appropriate "jail" techniques.