[MediaWiki-commits] [Gerrit] firewall: move allow NTP rule to base & restrict - change (operations/puppet)

Tue, 02 Dec 2014 00:51:47 -0800 

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/176901

Change subject: firewall: move allow NTP rule to base & restrict
......................................................................

firewall: move allow NTP rule to base & restrict

The otherwise generic "ferm" module had an "allow ntp" rule, as
introduced by commit 4e9f095. That's pretty ugly, so move it to
role::ntp instead, where it belongs.

While at it, there is no reason to have NTP open on the firewall on
every host. Stateful tracking of the outgoing connection should be
enough for clients, so move the stanza only under the server portion of
the role configuration.

Change-Id: I37d7443d3a5acb7cb0c591e77555fefd6f1a510e
---
M manifests/role/ntp.pp
M modules/ferm/manifests/init.pp
2 files changed, 5 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/01/176901/1

diff --git a/manifests/role/ntp.pp b/manifests/role/ntp.pp
index 0d93cee..0144a08 100644
--- a/manifests/role/ntp.pp
+++ b/manifests/role/ntp.pp
@@ -101,6 +101,11 @@
             query_acl => $neon_acl,
         }
 
+        ferm::service { 'ntp':
+            proto => 'udp',
+            port  => 'ntp',
+        }
+
         monitoring::service { 'ntp peers':
             description   => 'NTP peers',
             check_command => 'check_ntp_peer!0.1!0.5';
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index d8b4259..75b4450 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -53,10 +53,4 @@
     # the rules are virtual resources for cases where they are defined in a
     # class but the host doesn't have the ferm class included
     File <| tag == 'ferm' |>
-
-    #allow udp dpt 123
-
-    ferm::rule { 'allow_ntp':
-        rule => 'proto udp dport 123 ACCEPT;'
-    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/176901
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I37d7443d3a5acb7cb0c591e77555fefd6f1a510e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to