[MediaWiki-commits] [Gerrit] contint: migrate firewall rules to ferm - change (operations/puppet)

Wed, 13 Nov 2013 06:51:29 -0800 

Hashar has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/95162


Change subject: contint: migrate firewall rules to ferm
......................................................................

contint: migrate firewall rules to ferm

Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630
---
M modules/contint/manifests/firewall.pp
1 file changed, 31 insertions(+), 41 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/62/95162/1

diff --git a/modules/contint/manifests/firewall.pp 
b/modules/contint/manifests/firewall.pp
index 6d8071f..a6d1062 100644
--- a/modules/contint/manifests/firewall.pp
+++ b/modules/contint/manifests/firewall.pp
@@ -1,50 +1,40 @@
+# vim: set ts=4 sw=4 et:
 class contint::firewall {
 
-  # prevent users from accessing port 8080 directly (but still allow from
-  # localhost and own net)
+    include base::firewall
 
-  class iptables-purges {
+    # Restrict some services to be only reacheable from localhost..
 
-    require 'iptables::tables'
+    # Jenkins on port 8080, reacheable via Apache proxying the requests
+    ferm::rule { 'jenkins_localhost_only':
+        rule => 'proto tcp dport 8080 { saddr 127.0.0.1 ACCEPT; DROP; }'
+    }
+    # Zuul status page on port 8001, reacheable via Apache proxying the 
requests
+    ferm::rule { 'zuul_localhost_only':
+        rule => 'proto tcp dport 8001 { saddr 127.0.0.1 ACCEPT; DROP; }'
+    }
+    # Gearman is used between Zuul and the Jenkin master, both on the same
+    # server and communicating over 127.0.0.1
+    ferm::rule { 'gearman_localhost_only':
+        rule => 'proto tcp dport 8001 { saddr 127.0.0.1 ACCEPT; DROP; }'
+    }
 
-    iptables_purge_service{  'deny_all_http-alt': service => 'http-alt' }
-    iptables_purge_service{  'deny_all_zuul-daemon': service => 
'zuul_webservice' }
-    iptables_purge_service{  'deny_all-gearman': service => 'gearman' }
-    iptables_purge_service{  'deny_all_git-daemon': service  => 'git_daemon' }
-  }
+    # The master runs a git-daemon process used by slave to fetch changes form
+    # the Zuul git repository. It is only meant to be used form slaves, so
+    # reject outside calls.
+    ferm::rule { 'git-daemon_internal':
+        rule => 'proto tcp dport 9418 { saddr $INTERNAL ACCEPT; DROP; }'
+    }
 
-  class iptables-accepts {
+    # ALLOWS:
 
-    require 'contint::firewall::iptables-purges'
+    # web access
+    ferm::rule { 'allow_http':
+        rule => 'proto tcp dport 80 ACCEPT;'
+    }
+    # ssh from outside world
+    ferm::rule { 'allow_ssh':
+        rule => 'proto tcp dport ssh ACCEPT;'
+    }
 
-    iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump 
=> 'ACCEPT' }
-    iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 
'all', jump => 'ACCEPT' }
-
-    # We really need to drop Zuul gearman there or anyone in wikimedia network
-    # would be able to reach Zuul gearman daemon.
-    iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump => 
'DROP' }
-
-    iptables_add_service{ 'private_all': source => '10.0.0.0/8', service => 
'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_all': source => '208.80.152.0/22', service 
=> 'all', jump => 'ACCEPT' }
-  }
-
-  class iptables-drops {
-
-    require 'contint::firewall::iptables-accepts'
-
-    iptables_add_service{ 'deny_all_http-alt': service => 'http-alt', jump => 
'DROP' }
-    # Deny direct access to the Zuul daemon
-    iptables_add_service{ 'deny_all_zuul-daemon': service => 
'zuul_webservice', jump => 'DROP' }
-    # Deny git daemon listening on port 9418
-    iptables_add_service{ 'deny_all_git-daemon': service => 'git_daemon', jump 
=> 'DROP' }
-  }
-
-  class iptables {
-
-    require 'contint::firewall::iptables-drops'
-
-    iptables_add_exec{ $::hostname: service => 'contint' }
-  }
-
-  require contint::firewall::iptables
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/95162
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to