All existing ferm services without an explicit srange should be reviewed, whether they can be restricted further. Also, it's worth considering to make unrestricted access explicit with e.g. "srange => '$PUBLIC'" on the puppet level (the ferm config on the hosts would not be changed).
This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!
For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)