Page MenuHomePhabricator

Ensure that there are no firewall rules in modules
Open, LowPublic

Description

Refactor remaining ferm rules to only apply ferm rules in roles, not in the modules itself.


  • acme_chief
  • aptly
  • base
  • phabricator
  • prometheus
  • rsync
  • scap
  • service
  • udp2log

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: acl*sre-team.
yuvipanda added a subscriber: yuvipanda.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 30 2015, 3:39 AM
yuvipanda set Security to Software security bug.Sep 30 2015, 3:39 AM
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptSep 30 2015, 3:39 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript

https://gerrit.wikimedia.org/r/#/c/242434/ fixes my immediate issue but clearly neds a better implemented solution I think.

yuvipanda edited subscribers, added: MoritzMuehlenhoff; removed: Matanya.Sep 30 2015, 3:57 AM
Dzahn added a subscriber: Dzahn.Sep 30 2015, 2:57 PM

one of them was: T108987

apache/manifests/static_site.pp: ferm::service { "${servername_safe}_http":
archiva/manifests/proxy.pp: ferm::service { 'https':
archiva/manifests/proxy.pp: ferm::service { 'http':
contint/manifests/firewall.pp: ferm::service { 'gearman_from_zuul_mergers':
contint/manifests/firewall.pp: ferm::service { 'gearman_from_nodepool':
contint/manifests/firewall.pp: ferm::service { 'jenkins_zeromq_from_nodepool':
dataset/manifests/nfs.pp: ferm::service { 'nfs_rpc_mountd':
dataset/manifests/nfs.pp: ferm::service { 'nfs_rpc_statd':
dataset/manifests/nfs.pp: ferm::service { 'nfs_portmapper_udp':
dataset/manifests/nfs.pp: ferm::service { 'nfs_portmapper_tcp':
dynamicproxy/manifests/init.pp: ferm::service { 'proxymanager':
dynamicproxy/manifests/init.pp: ferm::service{ 'http':
dynamicproxy/manifests/init.pp: ferm::service{ 'https':
dynamicproxy/manifests/api.pp: ferm::service { 'dynamicproxy-api-http':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(
hhvm/manifests/admin.pp: ferm::service { 'hhvm_admin':
icinga/manifests/web.pp: ferm::service { 'icinga-https':
icinga/manifests/web.pp: ferm::service { 'icinga-http':
k8s/manifests/flannel.pp: ferm::service { 'flannel-vxlan':
ldap/manifests/server.pp: ferm::service { 'ldap-admin':
ldap/manifests/server.pp: ferm::service { 'ldap-replication':
mediawiki/manifests/jobrunner.pp: ferm::service { 'mediawiki-jobrunner':
memcached/manifests/init.pp: ferm::service {'memcached':
openstack/manifests/controller_firewall.pp: ferm::service { 'mysql_iron':
openstack/manifests/controller_firewall.pp: ferm::service { 'mysql_tendril':
redis/manifests/init.pp: ferm::service {'redis':
service/manifests/node.pp: ferm::service { $title:
statistics/manifests/rsyncd.pp: ferm::service { 'rsync':
toollabs/manifests/proxy.pp: ferm::service { 'redis-replication':
toollabs/manifests/proxy.pp: ferm::service { 'proxylistener-port':
tor/manifests/init.pp: ferm::service { 'tor_orport':
tor/manifests/init.pp: ferm::service { 'tor_dirport':
wdqs/manifests/gui.pp: ferm::service { 'wdqs_http':
wdqs/manifests/gui.pp: ferm::service { 'wdqs_https':

base/manifests/firewall.pp: ferm::rule { 'bastion-ssh':
base/manifests/firewall.pp: ferm::rule { 'monitoring-all':
contint/manifests/firewall.pp: ferm::rule { 'jenkins_localhost_only':
contint/manifests/firewall.pp: ferm::rule { 'zuul_localhost_only':
contint/manifests/firewall.pp: ferm::rule { 'git-daemon_internal':
contint/manifests/firewall.pp: ferm::rule { 'ytterbium_ssh':
contint/manifests/firewall.pp: ferm::rule { 'allow_http':
contint/manifests/firewall.pp: ferm::rule { 'allow_https':
contint/manifests/firewall/labs.pp: ferm::rule { 'gallium_ssh_to_slaves':
ferm/manifests/rule.pp:define ferm::rule(
ganglia/manifests/monitor/aggregator/instance.pp: ferm::rule { "aggregator-udp-${id}":
ganglia/manifests/monitor/aggregator/instance.pp: ferm::rule { "aggregator-tcp-${id}":
icinga/manifests/nsca/firewall.pp: ferm::rule { 'ncsa_allowed':
ldap/manifests/server.pp: ferm::rule { 'ldap_private_labs':
ldap/manifests/server.pp: ferm::rule { 'ldap_backend_private_labs':
nrpe/manifests/init.pp: ferm::rule { 'nrpe_5666':
openstack/manifests/controller_firewall.pp: ferm::rule { 'ssh_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'http_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'dns_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'redis_replication':
openstack/manifests/controller_firewall.pp: ferm::rule { 'openstack-services':
openstack/manifests/controller_firewall.pp: ferm::rule { 'openstack-services-horizon':
openstack/manifests/controller_firewall.pp: ferm::rule { 'keystone':
openstack/manifests/controller_firewall.pp: ferm::rule { 'mysql_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'beam_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'rabbit_for_designate':
openstack/manifests/controller_firewall.pp: ferm::rule { 'rabbit_for_nova_api':
openstack/manifests/controller_firewall.pp: ferm::rule { 'glance_api_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'puppetmaster':
openstack/manifests/controller_firewall.pp: ferm::rule { 'salt':

csteipp triaged this task as High priority.Sep 30 2015, 11:44 PM
csteipp added a subscriber: csteipp.

Setting this high until we're sure there aren't any services that are accidentally exposed to the world. Then we can set to normal/low to actually move them out of modules.

@MoritzMuehlenhoff, do you seen any of these that seem like the same situation Yuvi hit?

Memcached would be a disaster for any mediawikis.

I can access memcached from bastions, not sure if that's intended?

Ah I see no ferm rules in the role, so looks like that's intentional at least for now.

As said, the rules will be refactored into the roles over time, no services in prod are exposed by this (after all before ferm was enabled these hosts weren't firewalled at all).

I'll prepare a patch for the redis rule today or tomorrow.

The redis change has just been merged.

I have created https://gerrit.wikimedia.org/r/#/c/243651 and https://gerrit.wikimedia.org/r/#/c/243652 for memcached.

Yuvi, it would be great if you could double-check whether systems in labs need updated rules.

The memcached refactoring patches have been merged.

The others classes are not use in multiple places and will be cleaned up over time.

There's also a bit of technical debt around; e.g. the ldap server module doesn't use a role yet.

MoritzMuehlenhoff lowered the priority of this task from High to Low.
MoritzMuehlenhoff updated the task description. (Show Details)
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Jun 19 2020, 4:29 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

Dzahn added a comment.Jun 19 2020, 4:54 PM

as of today:

acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-api':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-http-challenges':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-ssh-rsync':
aptly/manifests/init.pp:    ferm::service { 'aptly':
base/manifests/firewall.pp:    ::ferm::service { 'ssh-from-cumin-masters':
codesearch/manifests/init.pp:    ferm::service { 'codesearch':
contint/manifests/firewall/labs.pp:    ferm::service { 'contint1001_ssh_to_slaves':
contint/manifests/firewall/labs.pp:    ferm::service { 'contint2001_ssh_to_slaves':
dumps/manifests/web/xmldumps.pp:    ferm::service { 'xmldumps_http':
dumps/manifests/web/xmldumps.pp:    ferm::service { 'xmldumps_https':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(
ferm/manifests/ipsec_allow.pp:    ferm::service { 'ferm-ipsec-ike':
icinga/manifests/web.pp:    ferm::service { 'icinga-https':
icinga/manifests/web.pp:    ferm::service { 'icinga-http':
phabricator/manifests/vcs.pp:        ferm::service {'ssh_public':
prometheus/manifests/blazegraph_exporter.pp:    ferm::service { "prometheus-blazegraph-exporter-${title}":
rsync/manifests/server/module.pp:      ferm::service { "rsyncd_access_${name}":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_tls":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_ipv6":
rsync/manifests/server/module.pp:              ferm::service { "rsyncd_access_${name}_ipv6_tls":
scap/manifests/ferm.pp:    ferm::service { 'deployment-ssh':
service/manifests/node.pp:    ferm::service { $title:
udp2log/manifests/instance.pp:    ferm::service { "udp2log_instance_${port}":
Dzahn changed the visibility from "Custom Policy" to "Public (No Login Required)".
Dzahn changed the edit policy from "Custom Policy" to "All Users".
Dzahn updated the task description. (Show Details)Jun 25 2020, 8:25 PM

modules that still have a ferm::service as of today:

acme_chief
aptly
base
phabricator
prometheus
rsync
scap
service
udp2log

added check boxes