[MediaWiki-commits] [Gerrit] operations/puppet[production]: ipsec_allow: Restrict to domain networks

Thu, 25 Aug 2016 06:55:25 -0700 

Muehlenhoff has submitted this change and it was merged.

Change subject: ipsec_allow: Restrict to domain networks
......................................................................


ipsec_allow: Restrict to domain networks

The role is used by kafka*, mc* and rdb* systems. These systems in production
are all limited to accesss from production systems, while the use of
DOMAIN_NETWORKS also allows to use these roles for a base::firewall-enabled
labs instance.

Change-Id: Iafe19683efb68c4751aeee0626738bdf1c358288
---
M modules/ferm/manifests/ipsec_allow.pp
1 file changed, 2 insertions(+), 2 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified
  BBlack: Looks good to me, but someone else must approve



diff --git a/modules/ferm/manifests/ipsec_allow.pp 
b/modules/ferm/manifests/ipsec_allow.pp
index 513cb02..2ead25b 100644
--- a/modules/ferm/manifests/ipsec_allow.pp
+++ b/modules/ferm/manifests/ipsec_allow.pp
@@ -5,14 +5,14 @@
 class ferm::ipsec_allow {
     #firewall allow ipsec esp
     ferm::rule { 'ferm-ipsec-esp':
-        rule   => 'proto esp { saddr $ALL_NETWORKS ACCEPT; }'
+        rule   => 'proto esp { saddr $DOMAIN_NETWORKS ACCEPT; }'
     }
 
     #firewall allow ipsec ike udp 500
     ferm::service { 'ferm-ipsec-ike':
         proto  => 'udp',
         port   => '500',
-        srange => '$ALL_NETWORKS',
+        srange => '$DOMAIN_NETWORKS',
     }
 
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/303837
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Iafe19683efb68c4751aeee0626738bdf1c358288
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Elukey <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Jgreen <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to