Hashar has uploaded a new change for review. https://gerrit.wikimedia.org/r/95162
Change subject: contint: migrate firewall rules to ferm ...................................................................... contint: migrate firewall rules to ferm Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630 --- M modules/contint/manifests/firewall.pp 1 file changed, 31 insertions(+), 41 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/62/95162/1 diff --git a/modules/contint/manifests/firewall.pp b/modules/contint/manifests/firewall.pp index 6d8071f..a6d1062 100644 --- a/modules/contint/manifests/firewall.pp +++ b/modules/contint/manifests/firewall.pp @@ -1,50 +1,40 @@ +# vim: set ts=4 sw=4 et: class contint::firewall { - # prevent users from accessing port 8080 directly (but still allow from - # localhost and own net) + include base::firewall - class iptables-purges { + # Restrict some services to be only reacheable from localhost.. - require 'iptables::tables' + # Jenkins on port 8080, reacheable via Apache proxying the requests + ferm::rule { 'jenkins_localhost_only': + rule => 'proto tcp dport 8080 { saddr 127.0.0.1 ACCEPT; DROP; }' + } + # Zuul status page on port 8001, reacheable via Apache proxying the requests + ferm::rule { 'zuul_localhost_only': + rule => 'proto tcp dport 8001 { saddr 127.0.0.1 ACCEPT; DROP; }' + } + # Gearman is used between Zuul and the Jenkin master, both on the same + # server and communicating over 127.0.0.1 + ferm::rule { 'gearman_localhost_only': + rule => 'proto tcp dport 8001 { saddr 127.0.0.1 ACCEPT; DROP; }' + } - iptables_purge_service{ 'deny_all_http-alt': service => 'http-alt' } - iptables_purge_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice' } - iptables_purge_service{ 'deny_all-gearman': service => 'gearman' } - iptables_purge_service{ 'deny_all_git-daemon': service => 'git_daemon' } - } + # The master runs a git-daemon process used by slave to fetch changes form + # the Zuul git repository. It is only meant to be used form slaves, so + # reject outside calls. + ferm::rule { 'git-daemon_internal': + rule => 'proto tcp dport 9418 { saddr $INTERNAL ACCEPT; DROP; }' + } - class iptables-accepts { + # ALLOWS: - require 'contint::firewall::iptables-purges' + # web access + ferm::rule { 'allow_http': + rule => 'proto tcp dport 80 ACCEPT;' + } + # ssh from outside world + ferm::rule { 'allow_ssh': + rule => 'proto tcp dport ssh ACCEPT;' + } - iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 'all', jump => 'ACCEPT' } - - # We really need to drop Zuul gearman there or anyone in wikimedia network - # would be able to reach Zuul gearman daemon. - iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump => 'DROP' } - - iptables_add_service{ 'private_all': source => '10.0.0.0/8', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_all': source => '208.80.152.0/22', service => 'all', jump => 'ACCEPT' } - } - - class iptables-drops { - - require 'contint::firewall::iptables-accepts' - - iptables_add_service{ 'deny_all_http-alt': service => 'http-alt', jump => 'DROP' } - # Deny direct access to the Zuul daemon - iptables_add_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice', jump => 'DROP' } - # Deny git daemon listening on port 9418 - iptables_add_service{ 'deny_all_git-daemon': service => 'git_daemon', jump => 'DROP' } - } - - class iptables { - - require 'contint::firewall::iptables-drops' - - iptables_add_exec{ $::hostname: service => 'contint' } - } - - require contint::firewall::iptables } -- To view, visit https://gerrit.wikimedia.org/r/95162 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits