Matanya has uploaded a new change for review. https://gerrit.wikimedia.org/r/117670
Change subject: statistics: converted iptables to ferm rule ...................................................................... statistics: converted iptables to ferm rule Change-Id: Iba67c80d517afb4861dd4b5e12873789e82088b4 --- M manifests/misc/statistics.pp M manifests/site.pp 2 files changed, 6 insertions(+), 36 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/70/117670/1 diff --git a/manifests/misc/statistics.pp b/manifests/misc/statistics.pp index ae09004..10f52b4 100644 --- a/manifests/misc/statistics.pp +++ b/manifests/misc/statistics.pp @@ -1,41 +1,11 @@ # this file is for stat[0-9] statistics servers (per ezachte - RT 2162) -class misc::statistics::iptables-purges { - require "iptables::tables" - - # The deny_all rule must always be purged, otherwise ACCEPTs can be placed below it - iptables_purge_service{ "deny_all_redis": service => "redis" } - - # When removing or modifying a rule, place the old rule here, otherwise it won't - # be purged, and will stay in the iptables forever -} - -class misc::statistics::iptables-accepts { - require "misc::statistics::iptables-purges" - - # Rememeber to place modified or removed rules into purges! - iptables_add_service{ "redis_internal": source => "208.80.152.0/22", service => "redis", jump => "ACCEPT" } -} - -class misc::statistics::iptables-drops { - require "misc::statistics::iptables-accepts" - - # Deny by default - iptables_add_service{ "deny_all_redis": service => "redis", jump => "DROP" } -} - -class misc::statistics::iptables { - if $realm == "production" { - # We use the following requirement chain: - # iptables -> iptables::drops -> iptables::accepts -> iptables::accept-established -> iptables::purges - # - # This ensures proper ordering of the rules - require "misc::statistics::iptables-drops" - - # This exec should always occur last in the requirement chain. - iptables_add_exec{ $hostname: service => "statistics" } +class misc::statistics::firewall { + if $::realm == 'production' { + ferm::rule { 'redis_internal': + rule => 'proto tcp dport 6379 { saddr $INTERNAL ACCEPT; }', + } } - # Labs has security groups, and as such, doesn't need firewall rules } diff --git a/manifests/site.pp b/manifests/site.pp index 98eff6f..8446554 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -2432,7 +2432,7 @@ include misc::statistics::cron_blog_pageviews include misc::statistics::limn::mobile_data_sync - include misc::statistics::iptables + include misc::statistics::firewall } node 'stat1001.wikimedia.org' { -- To view, visit https://gerrit.wikimedia.org/r/117670 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iba67c80d517afb4861dd4b5e12873789e82088b4 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits