Bob Proulx wrote:
> Which means I want to say that all of the version control systems from
> vcs are migrated now.  (Since tla arch is hosted on download.)
> Therefore I think I will set up an iptables block for other services
> in order to force finding any unknown issues.

Which I have done just now.  I agressively created a copy of the
iptables firewall.  I removed all access ports for the version control
systems and for web access.  I blocked ssh access from the world
(needed for the version control access) but allowed it from the
standard list of local systems such as fencepost and mgt0 and the FSF
admins vpn network.  I did this as a temporary change from the command
line.  A reboot would restore operation to the previous rules.

In theory nothing from the outside world is using the vcs server for
any version control or web access or any other access.  This should
enforce that theory and cause anything using it to be blocked.

Note that vcs is still very much a required system.  It is hosting the
data storage by NFS onto the new system vcs0.  NFS access to the data
is still very much required for every operation.  Plus us admins need
shell access for repository maintenance actions using local root
access.  NFS root_squash is in effect, as desired, and vcs0 has no
root access to the nfs mounted file system.

As usual please report any problems.


Reply via email to