Page MenuHomePhabricator
Create Task
Maniphest T104968

Ferm rules for app servers
Closed, ResolvedPublic
Actions

Description

The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.

Many services can be allowed using the ferm::service class:
https://doc.wikimedia.org/puppet/classes/ferm.html#M000641
More complex rules can be be implemented using the ferm::rule class.

First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
mediawiki::canary_appserver
mediawiki::appserver
mediawiki::appserver::api
mediawiki::appserver::canary_api

Oce the ferm rules have been added, base::firewall can be included to the hosts which have ferm rules for all their services.

Details

SubjectRepoBranchLines +/-
Exclude DNS requests from connection trackingoperations/puppetproduction+12 -0
Enable ferm on initial appserversoperations/puppetproduction+4 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedMoritzMuehlenhoffT104968 Ferm rules for app servers

Event Timeline

MoritzMuehlenhoff created this task.Jul 7 2015, 10:10 AM
MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff added a project: acl*sre-team.
MoritzMuehlenhoff subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 7 2015, 10:10 AM
MoritzMuehlenhoff added a parent task: Restricted Task.Jul 7 2015, 10:13 AM
fgiunchedi triaged this task as Medium priority.Jul 20 2015, 2:28 PM
gerritbot subscribed.Aug 31 2015, 3:40 PM

Change 235025 had a related patch set uploaded (by Muehlenhoff):
Enable ferm on initial appservers

https://gerrit.wikimedia.org/r/235025

gerritbot added a project: Patch-For-Review.Aug 31 2015, 3:40 PM
gerritbot added a comment.Sep 3 2015, 7:42 AM

Change 235025 merged by Muehlenhoff:
Enable ferm on initial appservers

https://gerrit.wikimedia.org/r/235025

Muehlenhoff mentioned this in rOPUP74c84f23d019: Enable ferm on initial appservers.Sep 3 2015, 7:42 AM
jcrespo raised the priority of this task from Medium to High.Sep 11 2015, 5:51 PM
jcrespo subscribed.

I think this should get a bump.

jcrespo removed a project: Patch-For-Review.Sep 11 2015, 5:53 PM
jcrespo set Security to None.
gerritbot added a comment.Sep 15 2015, 1:59 PM

Change 238447 had a related patch set uploaded (by Muehlenhoff):
Exclude DNS requests from connection tracking

https://gerrit.wikimedia.org/r/238447

gerritbot added a project: Patch-For-Review.Sep 15 2015, 1:59 PM
gerritbot added a comment.Sep 18 2015, 8:28 AM

Change 238447 abandoned by Muehlenhoff:
Exclude DNS requests from connection tracking

https://gerrit.wikimedia.org/r/238447

MoritzMuehlenhoff closed this task as Resolved.Sep 21 2015, 10:47 AM
MoritzMuehlenhoff claimed this task.

All mediawiki application servers and API servers are now using ferm.

RobH mentioned this in T116256: Investigate idle/depooled eqiad appservers.Oct 27 2015, 9:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL