[MediaWiki-commits] [Gerrit] contint: prevents access to Zuul daemon - change (operations/puppet)

ArielGlenn (Code Review) Thu, 05 Sep 2013 12:37:52 -0700

ArielGlenn has submitted this change and it was merged.

Change subject: contint: prevents access to Zuul daemon
......................................................................



contint: prevents access to Zuul daemon

added zuul_webservice = 8001 in iptables_ports and tcp in
iptables_protocols

Change-Id: I2bd1c897910b4660b5957955d36d575ccd7073dc
---
M manifests/iptables.pp
M modules/contint/manifests/firewall.pp
2 files changed, 6 insertions(+), 0 deletions(-)

Approvals:
  ArielGlenn: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/iptables.pp b/manifests/iptables.pp
index eea897a..20136cc 100644
--- a/manifests/iptables.pp
+++ b/manifests/iptables.pp
@@ -45,6 +45,7 @@
        salt_publish => "4505",
        salt_ret => "4506",
        inetd => "10080",
+       zuul_webservice => "8001",
 }
 
 $iptables_protocols = {
@@ -94,6 +95,7 @@
        salt_ret => "tcp",
        redis => "tcp",
        inetd => "tcp",
+       zuul_webservice => "tcp",
 }
 
 class iptables::tables {
diff --git a/modules/contint/manifests/firewall.pp 
b/modules/contint/manifests/firewall.pp
index 1b8b058..8a39f43 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -8,6 +8,7 @@
     require 'iptables::tables'
 
     iptables_purge_service{  'deny_all_http-alt': service => 'http-alt' }
+    iptables_purge_service{  'deny_all_zuul-daemon': service => 
'zuul_webservice' }
   }
 
   class iptables-accepts {
@@ -25,6 +26,8 @@
     require 'contint::firewall::iptables-accepts'
 
     iptables_add_service{ 'deny_all_http-alt': service => 'http-alt', jump => 
'DROP' }
+    # Deny direct access to the Zuul daemon
+    iptables_add_service{ 'deny_all_zuul-daemon': service => 
'zuul_webservice', jump => 'DROP' }
   }
 
   class iptables {
@@ -32,6 +35,7 @@
     require 'contint::firewall::iptables-drops'
 
     iptables_add_exec{ $::hostname: service => 'http-alt' }
+    iptables_add_exec{ $::hostname: service => 'zuul_webservice' }
   }
 
   require contint::firewall::iptables

-- 
To view, visit https://gerrit.wikimedia.org/r/82614
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I2bd1c897910b4660b5957955d36d575ccd7073dc
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Hashar <[email protected]>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] contint: prevents access to Zuul daemon - change (operations/puppet)

Reply via email to