Ferm rules for image scalers
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MoritzMuehlenhoff
	Jul 7 2015, 10:12 AM

Description

The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.

Many services can be allowed using the ferm::service class:
https://doc.wikimedia.org/puppet/classes/ferm.html#M000641
More complex rules can be be implemented using the ferm::rule class.

First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
mediawiki::imagescaler

Once the ferm rules have been added, base::firewall can be included to the hosts which have ferm rules for all their services.

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved		MoritzMuehlenhoff	T104969 Ferm rules for image scalers

Event Timeline

MoritzMuehlenhoff created this task.Jul 7 2015, 10:12 AM

MoritzMuehlenhoff raised the priority of this task from to Needs Triage.

MoritzMuehlenhoff updated the task description. (Show Details)

MoritzMuehlenhoff added a project: acl*sre-team.

MoritzMuehlenhoff subscribed.

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 7 2015, 10:12 AM

MoritzMuehlenhoff added a parent task: Restricted Task.Jul 7 2015, 10:13 AM

fgiunchedi triaged this task as Medium priority.Jul 20 2015, 2:28 PM

All image scalers are now using ferm

Ferm rules for image scalersClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Ferm rules for image scalers
Closed, ResolvedPublic
Actions

Related Objects
Search...