Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316497

Change subject: tcpircbot: improve firewall rule setup
......................................................................

tcpircbot: improve firewall rule setup

- Replace ferm::rule with ferm::service.
- Use @resolve instead of IP addresses.
- resolve v4 and v6 addresses from DNS instead of having to list both
- make everything more readable
- add eventlog2001 which wasn't there before for consistency eqiad/codfw

Also per comments on Ic7bf1903f8a04649ea7ec.

Change-Id: Ia611b075d18a91630fd1700ddfcc8bc9fee64486
---
M manifests/role/tcpircbot.pp
1 file changed, 16 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/97/316497/1

diff --git a/manifests/role/tcpircbot.pp b/manifests/role/tcpircbot.pp
index b7a7cc2..fb348ab 100644
--- a/manifests/role/tcpircbot.pp
+++ b/manifests/role/tcpircbot.pp
@@ -33,9 +33,21 @@
         ],
     }
 
-    ferm::rule { 'tcpircbot_allowed':
-        # eventlog1001 (v4), tin (v4), mira (v4), puppetmaster1001 (v4), tin 
(v6), mira (v6), puppetmaster1001 (v6, unnamed in DNS), terbium (v4), terbium 
(v6), wasat (v4), wasat (v6), puppetmaster2001 (v4), puppetmaster2001 (v6, 
unnamed in DNS)
-        # Please DO NOT change the IPs in the rule below without updating the 
comment above
-        rule => 'proto tcp dport 9200 { saddr (10.64.32.167/32 10.64.0.196/32 
10.192.16.132/32 10.64.16.73/32 2620:0:861:101:10:64:0:196/128 
2620:0:860:102:10:192:16:132/128 2620:0:861:102:10:64:16:73/128 10.64.32.13/32 
2620:0:861:103:10:64:32:13/64 10.192.48.45/32 2620:0:860:104:10:192:48:45/64 
10.192.0.27/32 2620:0:860:101:10:192:0:27/128) ACCEPT; }',
+    $allowed_hosts = [
+        'eventlog1001.eqiad.wmnet',     # logging eqiad
+        'eventlog2001.codfw.wmnet',     # logging codfw
+        'tin.eqiad.wmnet',              # deployment eqiad
+        'mira.codfw.wmnet',             # deployment codfw
+        'puppetmaster1001.eqiad.wmnet', # puppet eqiad
+        'puppetmaster2001.codfw.wmnet', # puppet codfw
+        'terbium.eqiad.wmnet',          # maintenance eqiad
+        'wasat.codfw.wmnet',            # maintenance codfw
+    ]
+
+    ferm::service { 'tcpircbot_allowed':
+        proto  => 'tcp',
+        port   => '9200',
+        srange => "(@resolve((${allowed_hosts})) @resolve((${allowed_hosts}), 
AAAA))',
     }
+
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/316497
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia611b075d18a91630fd1700ddfcc8bc9fee64486
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to