Akosiaris has uploaded a new change for review.
https://gerrit.wikimedia.org/r/96518
Change subject: Remove redundant DROP rules.
......................................................................
Remove redundant DROP rules.
Now that DROP is the default policy in ferm, no need for extra DROP
rules
Change-Id: I7fccf98db4d5c1491a85c2f867460387da669a71
---
M modules/contint/manifests/firewall.pp
M modules/nrpe/manifests/init.pp
2 files changed, 5 insertions(+), 5 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/18/96518/1
diff --git a/modules/contint/manifests/firewall.pp
b/modules/contint/manifests/firewall.pp
index 9951943..d03d6a2 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -8,23 +8,23 @@
# Jenkins on port 8080, reacheable via Apache proxying the requests
ferm::rule { 'jenkins_localhost_only':
- rule => 'proto tcp dport 8080 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }'
+ rule => 'proto tcp dport 8080 { saddr (127.0.0.1 ::1) ACCEPT; }'
}
# Zuul status page on port 8001, reacheable via Apache proxying the
requests
ferm::rule { 'zuul_localhost_only':
- rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }'
+ rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; }'
}
# Gearman is used between Zuul and the Jenkin master, both on the same
# server and communicating over localhost
ferm::rule { 'gearman_localhost_only':
- rule => 'proto tcp dport 4730 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }'
+ rule => 'proto tcp dport 4730 { saddr (127.0.0.1 ::1) ACCEPT; }'
}
# The master runs a git-daemon process used by slave to fetch changes from
# the Zuul git repository. It is only meant to be used from slaves, so
# reject outside calls.
ferm::rule { 'git-daemon_internal':
- rule => 'proto tcp dport 9418 { saddr $INTERNAL ACCEPT; DROP; }'
+ rule => 'proto tcp dport 9418 { saddr $INTERNAL ACCEPT; }'
}
# ALLOWS:
diff --git a/modules/nrpe/manifests/init.pp b/modules/nrpe/manifests/init.pp
index 5cedff3..03ff0d0 100644
--- a/modules/nrpe/manifests/init.pp
+++ b/modules/nrpe/manifests/init.pp
@@ -73,7 +73,7 @@
# firewall nrpe-server, only accept nrpe/5666 from internal
ferm::rule { 'nrpe_5666':
- rule => 'proto tcp dport 5666 { saddr $INTERNAL ACCEPT; DROP; }'
+ rule => 'proto tcp dport 5666 { saddr $INTERNAL ACCEPT; }'
}
#Collect virtual nrpe checks
--
To view, visit https://gerrit.wikimedia.org/r/96518
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7fccf98db4d5c1491a85c2f867460387da669a71
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Akosiaris <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
