Description
Details
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | aborrero | T264993 Audit cloud-in4 ACL | |||
| Resolved | EBernhardson | T268145 cloud: clarify if relforge is still used from within CloudVPS |
Event Timeline
hey @ayounsi the easiest for me would be if you can raise specific concerns / questions, one at a time, and I will go to my backend and check if needs update / is deprecated etc. Would that work for you?
I don't know what those flows are for so I can't raise anything specific.
But I noticed that some of the IPs listed in the ACL have be decommissioned (eg, 10.64.37.8 or 10.64.4.10 taken randomly in the list), so all the policies need to be audited to make sure the ACL only permits what's needed for 2 reasons:
1/ having outdated policies means technical debt
2/ the IPs could be re-assigned to hosts we do NOT want CloudVPS VMs to access, which would be a security risk
The minimum is to make sure all of those IPs are assigned to the hosts they're supposed to, and remove them if decom/re-assigned.
Then ideally review if the remaining flows are still relevant.
Attached patch with my first pass.
Also, copy/pasted here for easier review:
diff --git a/templates/cr/firewall.conf b/templates/cr/firewall.conf index 96e7d5d..f52ba7d 100644 --- a/templates/cr/firewall.conf +++ b/templates/cr/firewall.conf @@ -1233,25 +1233,6 @@ family inet { } then accept; } - term labs_mysql { - from { - source-address { - /* labs-hosts1-b-eqiad */ - 10.64.20.0/24; - } - destination-address { - /* db1009 */ - 10.64.0.13/32; - /* db1073 */ - 10.64.16.79/32; - /* db2037 */ - 10.192.32.8/32; - } - protocol tcp; - destination-port 3306; - } - then accept; - } /* T261489 */ term debmonitor { from { @@ -1392,12 +1373,12 @@ family inet { } then accept; } - term labmon { + term cloudmetrics { from { destination-address { /* cloudmetrics1002 */ 10.64.4.15/32; - /* labmon1001 */ + /* cloudmetrics1001 */ 10.64.37.13/32; } protocol [ tcp udp ]; @@ -1419,16 +1400,20 @@ family inet { } {% endif %} {% if metadata['site'] == "eqiad" or metadata['site'] == "codfw" %} - /* Applied to cloud instance traffic going out of the cloud-instance-transport vlan. Last audit in T199435 and T211921. */ + /* Applied to cloud instance traffic going out of the cloud-instance-transport vlan. Last audit in T264993 */ filter cloud-in4 { interface-specific; term allow-icmp { from { source-address { - /* cloud-instance-transport1-b-codfw */ - 208.80.153.184/29; + /* cloud-instance-transport1-b-codfw (in use) */ + 208.80.153.184/29 + /* cloud-instance-transport1-b-codfw (next) */ + 185.15.57.16/29; + /* cloud-gw-transport-codfw */ + 185.15.57.8/30; /* cloud-instance-transport1-b-eqiad */ - 208.80.155.88/29; + 185.15.56.240/29; } protocol icmp; } @@ -1446,14 +1431,6 @@ family inet { term labstore { from { destination-address { - /* labstore1003 */ - 10.64.4.10/32; - /* labstore1001, labstore1002 */ - 10.64.37.6/31; - /* labstore.svc */ - 10.64.37.10/32; - /* nfs-scratch.svc, nfs-tools-home */ - 10.64.37.16/31; /* nfs-tools-project.svc */ 10.64.37.18/32; } @@ -1463,54 +1440,21 @@ family inet { then accept; } /* - ** labsdb100[4567] are being decommed - T193264 - */ - term labsdb { - from { - destination-address { - /* labsdb1004, labsdb1005 */ - 10.64.37.8/31; - /* labsdb1006 */ - 10.64.37.11/32; - /* labsdb1007 */ - 10.64.37.12/32; - /* dbproxy1010, dbproxy1011 */ - 10.64.37.14/31; - 10.64.37.28/32; - 10.64.37.27/32; - } - protocol tcp; - destination-port [ 22 873 3306 5432 ]; - } - then accept; - } - /* - ** T216353 + ** wiki-replicas mysql connection */ - term clouddb_return { + term wiki-replicas { from { destination-address { - /* labsdb1004, labsdb1005 */ - 10.64.37.8/31; - /* labsdb1006 */ - 10.64.37.11/32; - /* labsdb1007 */ - 10.64.37.12/32; - /* dbproxy1010, dbproxy1011 */ - 10.64.37.14/31; - /* nfs-tools-project.svc, labstore1004 */ - 10.64.37.18/31; - /* labstore1005 */ - 10.64.37.20/32; + /* dbproxy1018, dbproxy1019 */ 10.64.37.28/32; 10.64.37.27/32; } protocol tcp; - source-port 3306; + destination-port 3306; } then accept; } - term labmon--http { + term cloudmetrics-http { from { destination-address { /* cloudmetrics1002 */ @@ -1523,12 +1467,12 @@ family inet { } then accept; } - term labmon--statsd { + term cloudmetrics-statsd { from { destination-address { /* cloudmetrics1002 */ 10.64.4.15/32; - /* labmon1001 */ + /* cloudmetrics1001 */ 10.64.37.13/32; } protocol udp; @@ -1536,12 +1480,12 @@ family inet { } then accept; } - term labmon--graphite { + term clouodmetrics-graphite { from { destination-address { /* cloudmetrics1002 */ 10.64.4.15/32; - /* labmon1001 */ + /* cloudmetrics1001 */ 10.64.37.13/32; } protocol [ tcp udp ]; @@ -1562,17 +1506,6 @@ family inet { } then accept; } - term labnet-nova-api { - from { - destination-address { - /* labnet1001 */ - 10.64.20.13/32; - } - protocol tcp; - destination-port 8774; - } - then accept; - } /* ** Deny any communication with private subnets */
I deleted a bunch of stuff that doesn't exist. Also, renamed a few things, and cleaned up others. Please @Bstorm and @Andrew double check.
Also, in that same file @ayounsi there is a labs-in4, can you clarify where is that being used?
Thanks!
labs-in4 is applied to traffic exiting the cloud-hosts1-eqiad vlan (entering the router interface). Reviewing it might be useful as well indeed.
Change 641946 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh cloudmetrics references
Change 641947 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh transport network references
Change 641948 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh labstore references
Change 641949 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: refresh DB references
Change 641950 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: drop labnet ACL
Change 641954 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: add missing private range CIDR
Change 641960 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/homer/public@master] cr/firewall.conf: drop useless network ACL
Change 641954 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: add missing private range CIDR
Change 641946 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh cloudmetrics references
Change 641947 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh transport network references
Change 641948 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh labstore references
Mentioned in SAL (#wikimedia-operations) [2020-11-19T13:45:51Z] <XioNoX> push current state of audited cloud-in4 filter - T264993
Change 641960 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: drop useless network ACL
Change 641950 merged by Ayounsi:
[operations/homer/public@master] cr/firewall.conf: drop labnet ACL
Change 641949 merged by jenkins-bot:
[operations/homer/public@master] cr/firewall.conf: refresh DB references