Akosiaris has submitted this change and it was merged. Change subject: contint: migrate firewall rules to ferm ......................................................................
contint: migrate firewall rules to ferm While at it, restrict ssh to gallium.wikimedia.org to internal hosts. We will have to use one of the bastion as a proxy instead of sshing directly. Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630 --- M modules/contint/manifests/firewall.pp 1 file changed, 31 insertions(+), 41 deletions(-) Approvals: Akosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/contint/manifests/firewall.pp b/modules/contint/manifests/firewall.pp index 6d8071f..9951943 100644 --- a/modules/contint/manifests/firewall.pp +++ b/modules/contint/manifests/firewall.pp @@ -1,50 +1,40 @@ +# vim: set ts=4 sw=4 et: class contint::firewall { - # prevent users from accessing port 8080 directly (but still allow from - # localhost and own net) + include base::firewall - class iptables-purges { + # Restrict some services to be only reacheable from localhost over both + # IPv4 and IPv6 (to be safe) - require 'iptables::tables' + # Jenkins on port 8080, reacheable via Apache proxying the requests + ferm::rule { 'jenkins_localhost_only': + rule => 'proto tcp dport 8080 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }' + } + # Zuul status page on port 8001, reacheable via Apache proxying the requests + ferm::rule { 'zuul_localhost_only': + rule => 'proto tcp dport 8001 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }' + } + # Gearman is used between Zuul and the Jenkin master, both on the same + # server and communicating over localhost + ferm::rule { 'gearman_localhost_only': + rule => 'proto tcp dport 4730 { saddr (127.0.0.1 ::1) ACCEPT; DROP; }' + } - iptables_purge_service{ 'deny_all_http-alt': service => 'http-alt' } - iptables_purge_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice' } - iptables_purge_service{ 'deny_all-gearman': service => 'gearman' } - iptables_purge_service{ 'deny_all_git-daemon': service => 'git_daemon' } - } + # The master runs a git-daemon process used by slave to fetch changes from + # the Zuul git repository. It is only meant to be used from slaves, so + # reject outside calls. + ferm::rule { 'git-daemon_internal': + rule => 'proto tcp dport 9418 { saddr $INTERNAL ACCEPT; DROP; }' + } - class iptables-accepts { + # ALLOWS: - require 'contint::firewall::iptables-purges' + # web access + ferm::rule { 'allow_http': + rule => 'proto tcp dport http ACCEPT;' + } + ferm::rule { 'allow_https': + rule => 'proto tcp dport https ACCEPT;' + } - iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 'all', jump => 'ACCEPT' } - - # We really need to drop Zuul gearman there or anyone in wikimedia network - # would be able to reach Zuul gearman daemon. - iptables_add_service{ 'deny_all-gearman': service => 'gearman', jump => 'DROP' } - - iptables_add_service{ 'private_all': source => '10.0.0.0/8', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_all': source => '208.80.152.0/22', service => 'all', jump => 'ACCEPT' } - } - - class iptables-drops { - - require 'contint::firewall::iptables-accepts' - - iptables_add_service{ 'deny_all_http-alt': service => 'http-alt', jump => 'DROP' } - # Deny direct access to the Zuul daemon - iptables_add_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice', jump => 'DROP' } - # Deny git daemon listening on port 9418 - iptables_add_service{ 'deny_all_git-daemon': service => 'git_daemon', jump => 'DROP' } - } - - class iptables { - - require 'contint::firewall::iptables-drops' - - iptables_add_exec{ $::hostname: service => 'contint' } - } - - require contint::firewall::iptables } -- To view, visit https://gerrit.wikimedia.org/r/95162 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie9be31bec57e70fc84bd59a5524e8f848bb61630 Gerrit-PatchSet: 5 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> Gerrit-Reviewer: Akosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: ArielGlenn <ar...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: Jeremyb <jer...@tuxmachine.com> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits