Page MenuHomePhabricator

Ferm rules for app servers
Closed, ResolvedPublic

Description

The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.

Many services can be allowed using the ferm::service class:
https://doc.wikimedia.org/puppet/classes/ferm.html#M000641
More complex rules can be be implemented using the ferm::rule class.

First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
mediawiki::canary_appserver
mediawiki::appserver
mediawiki::appserver::api
mediawiki::appserver::canary_api

Oce the ferm rules have been added, base::firewall can be included to the hosts which have ferm rules for all their services.

Event Timeline

MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff subscribed.
fgiunchedi triaged this task as Medium priority.Jul 20 2015, 2:28 PM

Change 235025 had a related patch set uploaded (by Muehlenhoff):
Enable ferm on initial appservers

https://gerrit.wikimedia.org/r/235025

Change 235025 merged by Muehlenhoff:
Enable ferm on initial appservers

https://gerrit.wikimedia.org/r/235025

jcrespo raised the priority of this task from Medium to High.Sep 11 2015, 5:51 PM
jcrespo subscribed.

I think this should get a bump.

Change 238447 had a related patch set uploaded (by Muehlenhoff):
Exclude DNS requests from connection tracking

https://gerrit.wikimedia.org/r/238447

Change 238447 abandoned by Muehlenhoff:
Exclude DNS requests from connection tracking

https://gerrit.wikimedia.org/r/238447

MoritzMuehlenhoff claimed this task.

All mediawiki application servers and API servers are now using ferm.