From 34472f24157ef46daea14f32234af58c9ff56f9a Mon Sep 17 00:00:00 2001
From: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
Date: Thu, 29 Jan 2026 09:31:15 -0800
Subject: [PATCH] Add explicit iptables rules to block blob storage IPs

The previous firewall setup relied on a catch-all REJECT rule for blob
storage, but it wasn't blocking traffic. Now we explicitly resolve and
block the IPs for productionresultssa0-3.blob.core.windows.net using
iptables -I OUTPUT 1 to insert rules at the top of the chain.
---
 .github/workflows/workflow.yml | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index e062e8f..60ed171 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -169,10 +169,13 @@ jobs:
           iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
         done
 
-        # Block productionresultssa*.blob.core.windows.net (cache blob storage)
-        # We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts
-        # The proxy will handle these requests
-        echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy"
+        # Block blob.core.windows.net (Azure blob storage used for cache)
+        for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
+          for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
+            echo "Blocking direct access to blob storage ($host): $ip"
+            iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
+          done
+        done
 
         # Block all other outbound HTTP/HTTPS traffic
         iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@@ -326,10 +329,13 @@ jobs:
           iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
         done
 
-        # Block productionresultssa*.blob.core.windows.net (cache blob storage)
-        # We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts
-        # The proxy will handle these requests
-        echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy"
+        # Block blob.core.windows.net (Azure blob storage used for cache)
+        for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
+          for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
+            echo "Blocking direct access to blob storage ($host): $ip"
+            iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
+          done
+        done
 
         # Block all other outbound HTTP/HTTPS traffic
         iptables -A OUTPUT -p tcp --dport 80 -j REJECT