Page MenuHomePhabricator
Create Task
Maniphest T104976

Ferm rules for ocg hosts
Closed, ResolvedPublic
Actions

Description

The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.

Many services can be allowed using the ferm::service class:
https://doc.wikimedia.org/puppet/classes/ferm.html#M000641
More complex rules can be be implemented using the ferm::rule class.

First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
role ocg

Once the ferm rules have been added, base::firewall can be included to the hosts which have ferm rules for all their services.

Details

SubjectRepoBranchLines +/-
Exempt ocg service from connection trackingoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedMoritzMuehlenhoffT104976 Ferm rules for ocg hosts

Event Timeline

MoritzMuehlenhoff created this task.Jul 7 2015, 10:44 AM
MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff added a project: acl*sre-team.
MoritzMuehlenhoff subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 7 2015, 10:44 AM
MoritzMuehlenhoff added a parent task: Restricted Task.Jul 7 2015, 11:09 AM
Krenair added a project: OfflineContentGenerator.Jul 7 2015, 2:29 PM
Krenair subscribed.
fgiunchedi triaged this task as Medium priority.Jul 20 2015, 2:28 PM
MoritzMuehlenhoff closed this task as Resolved.Jul 23 2015, 12:05 PM
MoritzMuehlenhoff claimed this task.

The ocg* hosts are already covered (it was initially overlooked, since base::firewall is included in the role definition)

fgiunchedi reopened this task as Open.Aug 25 2015, 10:00 AM
fgiunchedi subscribed.

reopening as we should be NOTRACKing connections made to port 8000 on the ocg service ip, at the moment there's been a lot of jobs enqueued to ocg and the connection track showed 80% full

tcp        0      0 10.2.2.31:8000          10.64.16.172:37360      TIME_WAIT   -               
tcp        0      0 10.2.2.31:8000          10.64.48.83:48120       TIME_WAIT   -               
tcp        0      0 10.2.2.31:8000          10.64.0.69:35383        TIME_WAIT   -               
tcp        0      0 10.2.2.31:8000          10.64.0.76:40360        TIME_WAIT   -
gerritbot subscribed.Aug 25 2015, 10:18 AM

Change 233684 had a related patch set uploaded (by Muehlenhoff):
Exempt ocg service from connection tracking

https://gerrit.wikimedia.org/r/233684

gerritbot added a project: Patch-For-Review.Aug 25 2015, 10:18 AM
gerritbot added a comment.Aug 25 2015, 10:33 AM

Change 233684 merged by Muehlenhoff:
Exempt ocg service from connection tracking

https://gerrit.wikimedia.org/r/233684

Muehlenhoff mentioned this in rOPUP046d146757ff: Exempt ocg service from connection tracking.Aug 25 2015, 10:33 AM
MoritzMuehlenhoff closed this task as Resolved.Aug 25 2015, 11:01 AM

Closing again.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL