Page MenuHomePhabricator

Audit cloud-in4 ACL
Open, LowPublic

Description

Some policies in the cloud-in4 firewall filter (applied to traffic going from WMCS to prod) might now be outdated.

For example one says:

labsdb100[4567] are being decommed - T193264

And the mentioned task is now resolved.

If any exception can be removed it would help get clarity.

Event Timeline

ayounsi triaged this task as Low priority.Oct 8 2020, 8:52 AM
ayounsi created this task.
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptOct 8 2020, 8:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I can work on this!

hey @ayounsi the easiest for me would be if you can raise specific concerns / questions, one at a time, and I will go to my backend and check if needs update / is deprecated etc. Would that work for you?

aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.

I don't know what those flows are for so I can't raise anything specific.

But I noticed that some of the IPs listed in the ACL have be decommissioned (eg, 10.64.37.8 or 10.64.4.10 taken randomly in the list), so all the policies need to be audited to make sure the ACL only permits what's needed for 2 reasons:
1/ having outdated policies means technical debt
2/ the IPs could be re-assigned to hosts we do NOT want CloudVPS VMs to access, which would be a security risk

The minimum is to make sure all of those IPs are assigned to the hosts they're supposed to, and remove them if decom/re-assigned.

Then ideally review if the remaining flows are still relevant.

Attached patch with my first pass.

Also, copy/pasted here for easier review:

diff --git a/templates/cr/firewall.conf b/templates/cr/firewall.conf
index 96e7d5d..f52ba7d 100644
--- a/templates/cr/firewall.conf
+++ b/templates/cr/firewall.conf
@@ -1233,25 +1233,6 @@ family inet {
             }
             then accept;
         }
-        term labs_mysql {
-            from {
-                source-address {
-                    /* labs-hosts1-b-eqiad */
-                    10.64.20.0/24;
-                }
-                destination-address {
-                    /* db1009 */
-                    10.64.0.13/32;
-                    /* db1073 */
-                    10.64.16.79/32;
-                    /* db2037 */
-                    10.192.32.8/32;
-                }
-                protocol tcp;
-                destination-port 3306;
-            }
-            then accept;
-        }
         /* T261489 */
         term debmonitor {
             from {
@@ -1392,12 +1373,12 @@ family inet {
             }
             then accept;
         }
-        term labmon {
+        term cloudmetrics {
             from {
                 destination-address {
                     /* cloudmetrics1002 */
                     10.64.4.15/32;
-                    /* labmon1001 */
+                    /* cloudmetrics1001 */
                     10.64.37.13/32;
                 }
                 protocol [ tcp udp ];
@@ -1419,16 +1400,20 @@ family inet {
     }
     {% endif %}
     {% if metadata['site'] == "eqiad" or metadata['site'] == "codfw"  %}
-    /* Applied to cloud instance traffic going out of the cloud-instance-transport vlan. Last audit in T199435 and T211921. */
+    /* Applied to cloud instance traffic going out of the cloud-instance-transport vlan. Last audit in T264993 */
     filter cloud-in4 {
         interface-specific;
         term allow-icmp {
             from {
                 source-address {
-                    /* cloud-instance-transport1-b-codfw */
-                    208.80.153.184/29;
+                    /* cloud-instance-transport1-b-codfw (in use) */
+                    208.80.153.184/29
+                    /* cloud-instance-transport1-b-codfw (next) */
+                    185.15.57.16/29;
+                    /* cloud-gw-transport-codfw */
+                    185.15.57.8/30;
                     /* cloud-instance-transport1-b-eqiad */
-                    208.80.155.88/29;
+                    185.15.56.240/29;
                 }
                 protocol icmp;
             }
@@ -1446,14 +1431,6 @@ family inet {
         term labstore {
             from {
                 destination-address {
-                    /* labstore1003 */
-                    10.64.4.10/32;
-                    /* labstore1001, labstore1002 */
-                    10.64.37.6/31;
-                    /* labstore.svc */
-                    10.64.37.10/32;
-                    /* nfs-scratch.svc, nfs-tools-home */
-                    10.64.37.16/31;
                     /* nfs-tools-project.svc */
                     10.64.37.18/32;
                 }
@@ -1463,54 +1440,21 @@ family inet {
             then accept;
         }
         /*
-         ** labsdb100[4567] are being decommed - T193264
-         */
-        term labsdb {
-            from {
-                destination-address {
-                    /* labsdb1004, labsdb1005 */
-                    10.64.37.8/31;
-                    /* labsdb1006 */
-                    10.64.37.11/32;
-                    /* labsdb1007 */
-                    10.64.37.12/32;
-                    /* dbproxy1010, dbproxy1011 */
-                    10.64.37.14/31;
-                    10.64.37.28/32;
-                    10.64.37.27/32;
-                }
-                protocol tcp;
-                destination-port [ 22 873 3306 5432 ];
-            }
-            then accept;
-        }
-        /*
-         ** T216353
+         ** wiki-replicas mysql connection
          */
-        term clouddb_return {
+        term wiki-replicas {
             from {
                 destination-address {
-                    /* labsdb1004, labsdb1005 */
-                    10.64.37.8/31;
-                    /* labsdb1006 */
-                    10.64.37.11/32;
-                    /* labsdb1007 */
-                    10.64.37.12/32;
-                    /* dbproxy1010, dbproxy1011 */
-                    10.64.37.14/31;
-                    /* nfs-tools-project.svc, labstore1004 */
-                    10.64.37.18/31;
-                    /* labstore1005 */
-                    10.64.37.20/32;
+                    /* dbproxy1018, dbproxy1019 */
                     10.64.37.28/32;
                     10.64.37.27/32;
                 }
                 protocol tcp;
-                source-port 3306;
+                destination-port 3306;
             }
             then accept;
         }
-        term labmon--http {
+        term cloudmetrics-http {
             from {
                 destination-address {
                     /* cloudmetrics1002 */
@@ -1523,12 +1467,12 @@ family inet {
             }
             then accept;
         }
-        term labmon--statsd {
+        term cloudmetrics-statsd {
             from {
                 destination-address {
                     /* cloudmetrics1002 */
                     10.64.4.15/32;
-                    /* labmon1001 */
+                    /* cloudmetrics1001 */
                     10.64.37.13/32;
                 }
                 protocol udp;
@@ -1536,12 +1480,12 @@ family inet {
             }
             then accept;
         }
-        term labmon--graphite {
+        term clouodmetrics-graphite {
             from {
                 destination-address {
                     /* cloudmetrics1002 */
                     10.64.4.15/32;
-                    /* labmon1001 */
+                    /* cloudmetrics1001 */
                     10.64.37.13/32;
                 }
                 protocol [ tcp udp ];
@@ -1562,17 +1506,6 @@ family inet {
             }
             then accept;
         }
-        term labnet-nova-api {
-            from {
-                destination-address {
-                    /* labnet1001 */
-                    10.64.20.13/32;
-                }
-                protocol tcp;
-                destination-port 8774;
-            }
-            then accept;
-        }
         /*
          ** Deny any communication with private subnets
          */

I deleted a bunch of stuff that doesn't exist. Also, renamed a few things, and cleaned up others. Please @Bstorm and @Andrew double check.

Also, in that same file @ayounsi there is a labs-in4, can you clarify where is that being used?

Thanks!

labs-in4 is applied to traffic exiting the cloud-hosts1-eqiad vlan (entering the router interface). Reviewing it might be useful as well indeed.

Change 641946 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh cloudmetrics references

https://gerrit.wikimedia.org/r/641946

Change 641947 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh transport network references

https://gerrit.wikimedia.org/r/641947

Change 641948 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh labstore references

https://gerrit.wikimedia.org/r/641948

Change 641949 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh DB references

https://gerrit.wikimedia.org/r/641949

Change 641950 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: drop labnet ACL

https://gerrit.wikimedia.org/r/641950

Change 641954 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: add missing private range CIDR

https://gerrit.wikimedia.org/r/641954

Change 641960 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: drop useless network ACL

https://gerrit.wikimedia.org/r/641960

Change 641954 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: add missing private range CIDR

https://gerrit.wikimedia.org/r/641954

Change 641946 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh cloudmetrics references

https://gerrit.wikimedia.org/r/641946

Change 641947 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh transport network references

https://gerrit.wikimedia.org/r/641947

Change 641948 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh labstore references

https://gerrit.wikimedia.org/r/641948

Mentioned in SAL (#wikimedia-operations) [2020-11-19T13:45:51Z] <XioNoX> push current state of audited cloud-in4 filter - T264993

Change 641960 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: drop useless network ACL

https://gerrit.wikimedia.org/r/641960

Change 641950 merged by Ayounsi:
[operations/homer/public@master] cr/firewall.conf: drop labnet ACL

https://gerrit.wikimedia.org/r/641950

Change 641949 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh DB references

https://gerrit.wikimedia.org/r/641949