Ensure that there are no firewall rules in modules
Open, LowPublic
Actions

Assigned To

None

Authored By

	yuvipanda
	Sep 30 2015, 3:39 AM

Description

Refactor remaining ferm rules to only apply ferm rules in profiles, not in the modules itself.

Remainders:

acme_chief/manifests/server.pp: ferm::service { 'acme-chief-api':
acme_chief/manifests/server.pp: ferm::service { 'acme-chief-http-challenges':
acme_chief/manifests/server.pp: ferm::service { 'acme-chief-ssh-rsync':
airflow/manifests/instance.pp: ferm::service { "airflow-webserver@${title}":
aptly/manifests/init.pp: ferm::service { 'aptly':
base/manifests/firewall.pp: ferm::service { 'ssh-from-cumin-masters':
ganeti/manifests/prometheus.pp: ferm::service {'ganeti-prometheus-exporter':
openstack/manifests/haproxy/site.pp: ferm::service { "${title}_haproxy_backend":
openstack/manifests/haproxy/site.pp: ferm::service { "${title}_public_${index}":
openstack/manifests/haproxy/site.pp: ferm::service { "${title}_internal_${index}":
pontoon/manifests/lb.pp: ferm::service { 'pontoon-lb-dns':
role/manifests/analytics_test_cluster/coordinator.pp: ferm::service{ 'jupyterhub_hub':
role/manifests/puppetmaster/standalone.pp: ferm::service { 'puppetmaster-standalone':
role/manifests/bastionhost.pp: ferm::service { 'ssh':
role/manifests/logging/mediawiki/udp2log.pp: ferm::service { 'xenon_redis':
service/manifests/node.pp: ferm::service { $title:
udp2log/manifests/instance.pp: ferm::service { "udp2log_instance_${port}":

These are fine:
rsync/manifests/server/module.pp: ferm::service { "rsyncd_access_${name}":
rsync/manifests/server/module.pp: ferm::service { "rsyncd_access_${name}_tls":
rsync/manifests/server/module.pp: ferm::service { "rsyncd_access_${name}_ipv6":
rsync/manifests/server/module.pp: ferm::service { "rsyncd_access_${name}_ipv6_tls":
scap/manifests/ferm.pp: ferm::service { 'deployment-ssh':
role/manifests/mariadb/ferm.pp: ferm::service{ 'mariadb_internal':
role/manifests/mariadb/ferm.pp: ferm::service{ 'orchestrator':
ferm/manifests/ipsec_allow.pp: ferm::service { 'ferm-ipsec-ike':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Revert "contint: remove obsolete firewall rules from labs"	operations/puppet	production	+16 -0
contint: remove obsolete firewall rules from labs	operations/puppet	production	+0 -22
scap: move firewall rules out of the module	operations/puppet	production	+27 -18
phabricator: fix ferm rules for VCS, git-ssh	operations/puppet	production	+17 -5
phabricator: move vcs firewall rules to profile	operations/puppet	production	+16 -6
dumps: move ferm rules for xmldumps from module to profile	operations/puppet	production	+10 -10
codesearch: move ferm rules from module to profile	operations/puppet	production	+11 -11
icinga: move ferm rules from module to profile	operations/puppet	production	+11 -9
dynamicproxy: Firewall redis more restrictively	operations/puppet	production	+8 -4

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T294906 Puppet Improvements
		Open		None	T114209 Ensure that there are no firewall rules in modules

Event Timeline

yuvipanda created this task.Sep 30 2015, 3:39 AM

yuvipanda raised the priority of this task from to Needs Triage.

yuvipanda updated the task description. (Show Details)

yuvipanda added a project: acl*sre-team.

yuvipanda subscribed.

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 30 2015, 3:39 AM

yuvipanda set Security to Software security bug.Sep 30 2015, 3:39 AM

Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptSep 30 2015, 3:39 AM

Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application added a project: acl*security. · View Herald Transcript

yuvipanda mentioned this in rOPUP81325bfbad85: dynamicproxy: Firewall redis more restrictively.Sep 30 2015, 3:54 AM

https://gerrit.wikimedia.org/r/#/c/242434/ fixes my immediate issue but clearly neds a better implemented solution I think.

yuvipanda edited subscribers, added: MoritzMuehlenhoff; removed: Matanya.Sep 30 2015, 3:57 AM

one of them was: T108987

apache/manifests/static_site.pp: ferm::service { "${servername_safe}_http":
archiva/manifests/proxy.pp: ferm::service { 'https':
archiva/manifests/proxy.pp: ferm::service { 'http':
contint/manifests/firewall.pp: ferm::service { 'gearman_from_zuul_mergers':
contint/manifests/firewall.pp: ferm::service { 'gearman_from_nodepool':
contint/manifests/firewall.pp: ferm::service { 'jenkins_zeromq_from_nodepool':
dataset/manifests/nfs.pp: ferm::service { 'nfs_rpc_mountd':
dataset/manifests/nfs.pp: ferm::service { 'nfs_rpc_statd':
dataset/manifests/nfs.pp: ferm::service { 'nfs_portmapper_udp':
dataset/manifests/nfs.pp: ferm::service { 'nfs_portmapper_tcp':
dynamicproxy/manifests/init.pp: ferm::service { 'proxymanager':
dynamicproxy/manifests/init.pp: ferm::service{ 'http':
dynamicproxy/manifests/init.pp: ferm::service{ 'https':
dynamicproxy/manifests/api.pp: ferm::service { 'dynamicproxy-api-http':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(
hhvm/manifests/admin.pp: ferm::service { 'hhvm_admin':
icinga/manifests/web.pp: ferm::service { 'icinga-https':
icinga/manifests/web.pp: ferm::service { 'icinga-http':
k8s/manifests/flannel.pp: ferm::service { 'flannel-vxlan':
ldap/manifests/server.pp: ferm::service { 'ldap-admin':
ldap/manifests/server.pp: ferm::service { 'ldap-replication':
mediawiki/manifests/jobrunner.pp: ferm::service { 'mediawiki-jobrunner':
memcached/manifests/init.pp: ferm::service {'memcached':
openstack/manifests/controller_firewall.pp: ferm::service { 'mysql_iron':
openstack/manifests/controller_firewall.pp: ferm::service { 'mysql_tendril':
redis/manifests/init.pp: ferm::service {'redis':
service/manifests/node.pp: ferm::service { $title:
statistics/manifests/rsyncd.pp: ferm::service { 'rsync':
toollabs/manifests/proxy.pp: ferm::service { 'redis-replication':
toollabs/manifests/proxy.pp: ferm::service { 'proxylistener-port':
tor/manifests/init.pp: ferm::service { 'tor_orport':
tor/manifests/init.pp: ferm::service { 'tor_dirport':
wdqs/manifests/gui.pp: ferm::service { 'wdqs_http':
wdqs/manifests/gui.pp: ferm::service { 'wdqs_https':

base/manifests/firewall.pp: ferm::rule { 'bastion-ssh':
base/manifests/firewall.pp: ferm::rule { 'monitoring-all':
contint/manifests/firewall.pp: ferm::rule { 'jenkins_localhost_only':
contint/manifests/firewall.pp: ferm::rule { 'zuul_localhost_only':
contint/manifests/firewall.pp: ferm::rule { 'git-daemon_internal':
contint/manifests/firewall.pp: ferm::rule { 'ytterbium_ssh':
contint/manifests/firewall.pp: ferm::rule { 'allow_http':
contint/manifests/firewall.pp: ferm::rule { 'allow_https':
contint/manifests/firewall/labs.pp: ferm::rule { 'gallium_ssh_to_slaves':
ferm/manifests/rule.pp:define ferm::rule(
ganglia/manifests/monitor/aggregator/instance.pp: ferm::rule { "aggregator-udp-${id}":
ganglia/manifests/monitor/aggregator/instance.pp: ferm::rule { "aggregator-tcp-${id}":
icinga/manifests/nsca/firewall.pp: ferm::rule { 'ncsa_allowed':
ldap/manifests/server.pp: ferm::rule { 'ldap_private_labs':
ldap/manifests/server.pp: ferm::rule { 'ldap_backend_private_labs':
nrpe/manifests/init.pp: ferm::rule { 'nrpe_5666':
openstack/manifests/controller_firewall.pp: ferm::rule { 'ssh_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'http_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'dns_public':
openstack/manifests/controller_firewall.pp: ferm::rule { 'redis_replication':
openstack/manifests/controller_firewall.pp: ferm::rule { 'openstack-services':
openstack/manifests/controller_firewall.pp: ferm::rule { 'openstack-services-horizon':
openstack/manifests/controller_firewall.pp: ferm::rule { 'keystone':
openstack/manifests/controller_firewall.pp: ferm::rule { 'mysql_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'beam_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'rabbit_for_designate':
openstack/manifests/controller_firewall.pp: ferm::rule { 'rabbit_for_nova_api':
openstack/manifests/controller_firewall.pp: ferm::rule { 'glance_api_nova':
openstack/manifests/controller_firewall.pp: ferm::rule { 'puppetmaster':
openstack/manifests/controller_firewall.pp: ferm::rule { 'salt':

Setting this high until we're sure there aren't any services that are accidentally exposed to the world. Then we can set to normal/low to actually move them out of modules.

@MoritzMuehlenhoff, do you seen any of these that seem like the same situation Yuvi hit?

Memcached would be a disaster for any mediawikis.

I can access memcached from bastions, not sure if that's intended?

Ah I see no ferm rules in the role, so looks like that's intentional at least for now.

As said, the rules will be refactored into the roles over time, no services in prod are exposed by this (after all before ferm was enabled these hosts weren't firewalled at all).

I'll prepare a patch for the redis rule today or tomorrow.

I made https://gerrit.wikimedia.org/r/#/c/242915/ for redis

The redis change has just been merged.

I have created https://gerrit.wikimedia.org/r/#/c/243651 and https://gerrit.wikimedia.org/r/#/c/243652 for memcached.

Yuvi, it would be great if you could double-check whether systems in labs need updated rules.

The memcached refactoring patches have been merged.

The others classes are not use in multiple places and will be cleaned up over time.

There's also a bit of technical debt around; e.g. the ldap server module doesn't use a role yet.

Krenair subscribed.Nov 16 2015, 10:53 PM

MoritzMuehlenhoff claimed this task.Mar 2 2016, 2:02 PM

MoritzMuehlenhoff lowered the priority of this task from High to Low.

MoritzMuehlenhoff updated the task description. (Show Details)

Bawolff moved this task from Backlog / Other to Operational issues on the acl*security board.Jul 10 2016, 6:00 PM

yuvipanda unsubscribed.Jun 7 2017, 7:57 PM

• chasemp added a project: Security.Feb 10 2020, 11:00 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

as of today:

acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-api':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-http-challenges':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-ssh-rsync':
aptly/manifests/init.pp:    ferm::service { 'aptly':
base/manifests/firewall.pp:    ::ferm::service { 'ssh-from-cumin-masters':
codesearch/manifests/init.pp:    ferm::service { 'codesearch':
contint/manifests/firewall/labs.pp:    ferm::service { 'contint1001_ssh_to_slaves':
contint/manifests/firewall/labs.pp:    ferm::service { 'contint2001_ssh_to_slaves':
dumps/manifests/web/xmldumps.pp:    ferm::service { 'xmldumps_http':
dumps/manifests/web/xmldumps.pp:    ferm::service { 'xmldumps_https':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(
ferm/manifests/ipsec_allow.pp:    ferm::service { 'ferm-ipsec-ike':
icinga/manifests/web.pp:    ferm::service { 'icinga-https':
icinga/manifests/web.pp:    ferm::service { 'icinga-http':
phabricator/manifests/vcs.pp:        ferm::service {'ssh_public':
prometheus/manifests/blazegraph_exporter.pp:    ferm::service { "prometheus-blazegraph-exporter-${title}":
rsync/manifests/server/module.pp:      ferm::service { "rsyncd_access_${name}":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_tls":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_ipv6":
rsync/manifests/server/module.pp:              ferm::service { "rsyncd_access_${name}_ipv6_tls":
scap/manifests/ferm.pp:    ferm::service { 'deployment-ssh':
service/manifests/node.pp:    ferm::service { $title:
udp2log/manifests/instance.pp:    ferm::service { "udp2log_instance_${port}":

Dzahn removed a project: Security.Jun 25 2020, 8:13 PM

Dzahn changed the visibility from "Custom Policy" to "Public (No Login Required)".

Dzahn changed the edit policy from "Custom Policy" to "All Users".

recently fixed:

icinga: https://gerrit.wikimedia.org/r/c/operations/puppet/+/606730
codesearch: https://gerrit.wikimedia.org/r/c/operations/puppet/+/606735
dumps: https://gerrit.wikimedia.org/r/c/operations/puppet/+/606739
contint: https://gerrit.wikimedia.org/r/c/operations/puppet/+/606737

modules that still have a ferm::service as of today:

acme_chief
aptly
base
phabricator
prometheus
rsync
scap
service
udp2log

added check boxes

Marostegui added a project: Puppet.May 26 2021, 6:47 AM

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM

jbond added a parent task: T294906: Puppet Improvements.Nov 3 2021, 12:13 PM

taavi updated the task description. (Show Details)Jan 4 2022, 7:18 PM

I would feel responsible for the "phabricator" one here but I am not doing that because we have T296022 anyways. And if that happens we will remove the entire code section that this is in while otherwise we'd have to do quite some refactoring.

Change 751510 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] phabricator: move vcs firewall rules to profile

https://gerrit.wikimedia.org/r/751510

gerritbot added a project: Patch-For-Review.Jan 4 2022, 10:20 PM

Change 751510 merged by Dzahn:

[operations/puppet@production] phabricator: move vcs firewall rules to profile

https://gerrit.wikimedia.org/r/751510

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2022, 7:11 PM

Change 753555 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] phabricator: fix ferm rules for VCS, git-ssh

https://gerrit.wikimedia.org/r/753555

Change 753555 merged by Dzahn:

[operations/puppet@production] phabricator: fix ferm rules for VCS, git-ssh

https://gerrit.wikimedia.org/r/753555

phabricator done anways

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2022, 10:10 PM

status nowadays:

~/puppet/modules$ grep -r ferm::service * | grep -v profile

acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-api':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-http-challenges':
acme_chief/manifests/server.pp:    ferm::service { 'acme-chief-ssh-rsync':
airflow/manifests/instance.pp:    ferm::service { "airflow-webserver@${title}":
aptly/manifests/init.pp:    ferm::service { 'aptly':
base/manifests/firewall.pp:    ferm::service { 'ssh-from-cumin-masters':
ferm/manifests/ipsec_allow.pp:    ferm::service { 'ferm-ipsec-ike':
ferm/manifests/service.pp:# == Define ferm::service
ferm/manifests/service.pp:define ferm::service(
ganeti/manifests/prometheus.pp:    ferm::service {'ganeti-prometheus-exporter':
openstack/manifests/haproxy/site.pp:        ferm::service { "${title}_haproxy_backend":
openstack/manifests/haproxy/site.pp:            ferm::service { "${title}_public_${index}":
openstack/manifests/haproxy/site.pp:            ferm::service { "${title}_internal_${index}":
pontoon/manifests/lb.pp:    ferm::service { 'pontoon-lb-dns':
role/manifests/analytics_test_cluster/coordinator.pp:    ferm::service{ 'jupyterhub_hub':
role/manifests/puppetmaster/standalone.pp:    ferm::service { 'puppetmaster-standalone':
role/manifests/bastionhost.pp:    ferm::service { 'ssh':
role/manifests/mariadb/ferm.pp:    ferm::service{ 'mariadb_internal':
role/manifests/mariadb/ferm.pp:    ferm::service{ 'orchestrator':
role/manifests/logging/mediawiki/udp2log.pp:    ferm::service { 'xenon_redis':
rsync/manifests/server/module.pp:      ferm::service { "rsyncd_access_${name}":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_tls":
rsync/manifests/server/module.pp:          ferm::service { "rsyncd_access_${name}_ipv6":
rsync/manifests/server/module.pp:              ferm::service { "rsyncd_access_${name}_ipv6_tls":
scap/manifests/ferm.pp:    ferm::service { 'deployment-ssh':
service/manifests/node.pp:    ferm::service { $title:
udp2log/manifests/instance.pp:    ferm::service { "udp2log_instance_${port}":

Let's still fix those

Change 862378 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] scap: move firewall rules out of the module

https://gerrit.wikimedia.org/r/862378

gerritbot added a project: Patch-For-Review.Dec 1 2022, 12:01 AM

Change 862378 abandoned by Dzahn:

[operations/puppet@production] scap: move firewall rules out of the module

Reason:

per inline comments, this use case is ok, it's already a separate class just for ferm rules

https://gerrit.wikimedia.org/r/862378

Maintenance_bot removed a project: Patch-For-Review.Dec 1 2022, 1:31 PM

MoritzMuehlenhoff updated the task description. (Show Details)Dec 1 2022, 2:19 PM