While working on Capirca I noticed that the analytics-in firewall filters contained outdated hosts.
Here is the current diff using Capirca. Let me know if something needs to change or if it can be (carefully) merged as it.
analytics-in4
[edit firewall family inet filter analytics-in4 term puppet from destination-address] + /* puppetmaster1003 */ + 10.64.16.36/32; 10.64.16.73/32 { ... } [edit firewall family inet filter analytics-in4 term puppet from destination-address] 10.192.0.27/32 { ... } + /* puppetmaster2003 */ + 10.192.16.151/32; + /* puppetmaster2002 */ + 10.192.48.66/32; [edit firewall family inet filter analytics-in4 term apt from destination-address] ! 208.80.153.42/32 { ... } [edit firewall family inet filter analytics-in4 term webproxy from destination-address] + /* install3001 */ + 91.198.174.63/32; + /* install5001 */ + 103.102.166.13/32; + /* install4001 */ + 198.35.26.12/32; 208.80.153.51/32 { ... } [edit firewall family inet filter analytics-in4 term ldap from destination-address] - /* ldap-ro */ + /* ldap-ro.eqiad */ 208.80.154.252/32 { ... } [edit firewall family inet filter analytics-in4 term tftp from destination-address] + /* install3001 */ + 91.198.174.63/32; + /* install5001 */ + 103.102.166.13/32; + /* install4001 */ + 198.35.26.12/32; 208.80.153.51/32 { ... } [edit firewall family inet filter analytics-in4 term analytics-publicIP from destination-address] - /* dataset1001 */ + /* cloudservices1004 */ 208.80.154.11/32 { ... } [edit firewall family inet filter analytics-in4 term graphite from destination-address] - /* graphite1001 */ - 10.64.32.155/32; - /* graphite2001 */ - 10.192.16.33/32; [edit firewall family inet filter analytics-in4 term statsd from destination-address] - /* graphite1001 */ - 10.64.32.155/32; - /* graphite2001 */ - 10.192.16.33/32; [edit firewall family inet filter analytics-in4 term mysql-dbstore from] - destination-port [ 3311-3318 3320 3350 ]; + destination-port [ 3311-3320 3350 ]; [edit firewall family inet filter analytics-in4 term mysql-sqoop from] - destination-port 3311-3318; + destination-port 3311-3320; [edit firewall family inet filter analytics-in4 term mysql-replica from] - destination-port [ 3351 3352 ]; + destination-port 3351-3352; [edit firewall family inet filter analytics-in4 term ssh from destination-address] - /* dubnium */ - 208.80.154.13/32; - /* aluminium, cobalt */ - 208.80.154.80/31; [edit firewall family inet filter analytics-in4 term rsync-http-https from destination-address] - /* dubnium */ - 208.80.154.13/32; - /* aluminium, cobalt */ - 208.80.154.80/31; [edit firewall family inet filter analytics-in4 term kafka from destination-address] ! 10.64.0.175/32 { ... } ! 10.64.0.176/32 { ... } ! 10.64.0.181/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.0.200/32 { ... } ! 10.64.16.30/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.16.37/32 { ... } ! 10.64.16.99/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.90/32 { ... } ! 10.64.32.106/32 { ... } ! 10.64.32.159/32 { ... } ! 10.64.32.160/32 { ... } ! 10.64.48.117/32 { ... } ! 10.64.48.140/32 { ... } ! 10.64.48.177/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] + /* logstash1020 */ + 10.64.0.11/32; + /* logstash1007 */ + 10.64.0.37/32; + /* logstash1033 */ + 10.64.0.87/32; + /* logstash1008 */ + 10.64.0.90/32; 10.64.0.175/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.0.181/32 { ... } + /* logstash1023 */ + 10.64.0.183/32; + /* logstash1024 */ + 10.64.0.184/32; + /* logstash1026 */ + 10.64.0.197/32; 10.64.0.200/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.16.37/32 { ... } + /* logstash1021 */ + 10.64.16.41/32; 10.64.16.99/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.16.99/32 { ... } + /* logstash1032 */ + 10.64.16.143/32; + /* logstash1027 */ + 10.64.16.169/32; + /* logstash1009 */ + 10.64.32.27/32; 10.64.32.90/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.90/32 { ... } + /* logstash1025 */ + 10.64.32.96/32; + /* logstash1028 */ + 10.64.32.104/32; 10.64.32.106/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.106/32 { ... } + /* logstash1034 */ + 10.64.32.112/32; + /* logstash1022 */ + 10.64.32.127/32; 10.64.32.159/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.160/32 { ... } + /* logstash1030 */ + 10.64.48.22/32; + /* logstash1031 */ + 10.64.48.25/32; + /* kafka-main1004, kafka-main1005 */ + 10.64.48.30/31; + /* logstash1035 */ + 10.64.48.60/32; 10.64.48.117/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.48.117/32 { ... } + /* logstash1029, kafka-jumbo1008 */ + 10.64.48.120/31; 10.64.48.140/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.48.177/32 { ... } + /* logstash2033, kafka-main2001 */ + 10.192.0.16/31; + /* logstash2004 */ + 10.192.0.111/32; + /* logstash2001 */ + 10.192.0.112/32; + /* logstash2020 */ + 10.192.0.139/32; + /* logstash2023 */ + 10.192.0.153/32; + /* logstash2026 */ + 10.192.0.159/32; 10.192.16.8/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.192.16.8/32 { ... } + /* logstash2034 */ + 10.192.16.30/32; + /* logstash2005, logstash2006 */ + 10.192.16.92/31; + /* logstash2024 */ + 10.192.16.145/32; + /* logstash2025 */ + 10.192.16.146/32; + /* logstash2027 */ + 10.192.16.150/32; + /* logstash2021 */ + 10.192.16.169/32; + /* logstash2035 */ + 10.192.32.28/32; 10.192.32.136/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.192.32.136/32 { ... } + /* logstash2022 */ + 10.192.32.150/32; + /* logstash2002 */ + 10.192.32.180/32; + /* logstash2028 */ + 10.192.32.189/32; + /* kafka-main2004 */ + 10.192.48.38/32; + /* kafka-main2005 */ + 10.192.48.46/32; + /* logstash2003 */ + 10.192.48.131/32; + /* logstash2030 */ + 10.192.48.136/32; + /* logstash2029 */ + 10.192.48.140/32; + /* logstash2031 */ + 10.192.48.158/32; - /* kafka-main2001 */ - 10.192.0.17/32; - /* kafka-jumbo1008 */ - 10.64.48.121/32; [edit firewall family inet filter analytics-in4 term gerrit from destination-address] - /* gerrit2001 */ + /* gerrit-replica.wikimedia.org */ 208.80.153.107/32 { ... } [edit firewall family inet filter analytics-in4 term gerrit from destination-address] 208.80.153.107/32 { ... } + /* gerrit1001, gerrit.wikimedia.org */ + 208.80.154.136/31; - /* gerrit.wikimedia.org */ - 208.80.154.137/32; - /* gerrit1001 */ - 208.80.154.136/32; [edit firewall family inet filter analytics-in4 term gerrit from] - destination-port [ 29418 443 ]; + destination-port [ 443 29418 ]; [edit firewall family inet filter analytics-in4 term bacula from destination-address] + /* backup1003 */ + 10.64.16.107/32; + /* backup1002 */ + 10.64.32.107/32; 10.64.48.36/32 { ... } [edit firewall family inet filter analytics-in4 term bacula from destination-address] 10.64.48.36/32 { ... } + /* backup2002 */ + 10.192.0.190/32; + /* backup2003 */ + 10.192.32.35/32; 10.192.48.116/32 { ... } [edit firewall family inet filter analytics-in4 term bacula from destination-address] - /* helium */ - 10.64.0.179/32; [edit firewall family inet filter analytics-in4 term aqs from destination-address] + /* aqs1010 */ + 10.64.0.40/32; + /* aqs1010 */ + 10.64.0.88/32; 10.64.0.107/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.0.107/32 { ... } + /* aqs1010 */ + 10.64.0.120/32; - /* aqs1004-a, aqs1004-b */ + /* aqs1004 */ 10.64.0.126/31 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1007-a */ + /* aqs1007 */ 10.64.0.213/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1007-b */ + /* aqs1007 */ 10.64.0.237/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1008-a */ + /* aqs1008 */ 10.64.16.74/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1008-b */ + /* aqs1008 */ 10.64.16.78/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.16.78/32 { ... } + /* aqs1011 */ + 10.64.16.201/32; + /* aqs1011 */ + 10.64.16.204/32; + /* aqs1011 */ + 10.64.16.206/32; + /* aqs1012 */ + 10.64.32.16/32; + /* aqs1012 */ + 10.64.32.128/32; + /* aqs1013 */ + 10.64.32.136/32; 10.64.32.138/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.32.138/32 { ... } + /* aqs1012 */ + 10.64.32.145/32; + /* aqs1013 */ + 10.64.32.146/31; - /* aqs1005-a */ + /* aqs1005 */ 10.64.32.189/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1005-b */ + /* aqs1005 */ 10.64.32.190/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.32.190/32 { ... } + /* aqs1014, aqs1015 */ + 10.64.48.62/31; + /* aqs1014 */ + 10.64.48.65/32; + /* aqs1014 */ + 10.64.48.67/32; + /* aqs1015 */ + 10.64.48.68/31; 10.64.48.119/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1009-a, aqs1009-b */ + /* aqs1009 */ 10.64.48.122/31 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] - /* aqs1006-a, aqs1006-b */ + /* aqs1006 */ 10.64.48.148/31 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] ! 10.2.2.32/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.64.0.17/32 { ... } + /* wdqs1006 */ + 10.64.0.109/32; + /* wdqs1011 */ + 10.64.0.203/32; + /* wdqs1007 */ + 10.64.16.10/32; + /* wdqs1009 */ + 10.64.16.15/32; + /* wdqs1012 */ + 10.64.16.170/32; + /* wdqs1010 */ + 10.64.32.63/32; + /* wdqs1013 */ + 10.64.32.105/32; + /* wdqs1008 */ + 10.64.48.24/32; 10.64.48.46/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.64.48.46/32 { ... } + /* wdqs2004 */ + 10.192.0.20/32; 10.192.0.29/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.0.29/32 { ... } + /* wdqs2005 */ + 10.192.16.4/32; + /* wdqs2007 */ + 10.192.16.156/32; 10.192.32.148/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.32.148/32 { ... } + /* wdqs2008 */ + 10.192.32.194/32; 10.192.48.65/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.48.65/32 { ... } + /* wdqs2006 */ + 10.192.48.92/32; [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.0.35/32 { ... } ! 10.64.16.171/32 { ... } [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.0.35/32 { ... } + /* druid1001 */ + 10.64.5.101/32; 10.64.16.171/32 { ... } [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.16.172/32 { ... } + /* druid1002 */ + 10.64.36.102/32; 10.64.48.171/32 { ... } [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.48.227/32 { ... } + /* druid1003 */ + 10.64.53.103/32; [edit firewall family inet filter analytics-in4 term syslog from destination-address] - /* wezen */ + /* centrallog2001 */ 10.192.48.64/32 { ... } [edit firewall family inet filter analytics-in4 term syslog from destination-address] - /* lithium */ - 10.64.32.154/32; [edit firewall family inet filter analytics-in4 term syslog-tls from destination-address] - /* wezen */ + /* centrallog2001 */ 10.192.48.64/32 { ... } [edit firewall family inet filter analytics-in4 term syslog-tls from destination-address] - /* lithium */ - 10.64.32.154/32; [edit firewall family inet filter analytics-in4 term scap from destination-address] - /* deploy1001 */ - 10.64.32.16/32; - /* deploy2001 */ - 10.192.32.24/32; [edit firewall family inet filter analytics-in4 term swift from destination-address] 10.2.1.27/32 { ... } ! 10.2.1.54/32 { ... } [edit firewall family inet filter analytics-in4 term swift from destination-address] - /* swift.svc.codfw */ + /* ms-fe.svc.codfw.wmnet */ 10.2.1.27/32 { ... } [edit firewall family inet filter analytics-in4 term swift from destination-address] - /* swift.svc.eqiad */ + /* ms-fe.svc.eqiad.wmnet */ 10.2.2.27/32 { ... } [edit firewall family inet filter analytics-in4 term schema from destination-address] - /* schema.svc.codfw */ + /* schema.svc.codfw.wmnet */ 10.2.1.43/32 { ... } [edit firewall family inet filter analytics-in4 term schema from destination-address] - /* schema.svc.eqiad */ + /* schema.svc.eqiad.wmnet */ 10.2.2.43/32 { ... } [edit firewall family inet filter analytics-in4 term kerberos from destination-address] - /* kerberos1001 */ - 10.64.0.182/32; [edit firewall family inet filter analytics-in4 term eventgate-analytics from destination-address] ! 10.2.1.42/32 { ... } [edit firewall family inet filter analytics-in4 term eventgate-main from destination-address] ! 10.2.1.45/32 { ... } [edit firewall family inet filter analytics-in4 term eventgate-logging-ext from destination-address] ! 10.2.1.50/32 { ... } [edit firewall family inet filter analytics-in4 term eventgate-analytics-ext from destination-address] ! 10.2.1.52/32 { ... } [edit firewall family inet filter analytics-in4 term idp from destination-address] - /* idp2001.wikimedia.org */ + /* idp2001 */ 208.80.153.23/32 { ... } [edit firewall family inet filter analytics-in4 term idp from destination-address] - /* idp1001.wikimedia.org */ + /* idp1001 */ 208.80.154.26/32 { ... } [edit firewall family inet filter analytics-in4 term mediawiki-api from destination-address] ! 10.2.1.22/32 { ... } [edit firewall family inet filter analytics-in4 term mediawiki-api from] - destination-port [ 443 80 ]; + destination-port [ 80 443 ];
The same, removing the obvious OK lines (eg. description change, ordering, etc):
analytics-in4 cleaned
[edit firewall family inet filter analytics-in4 term puppet from destination-address] + /* puppetmaster1003 */ + 10.64.16.36/32; 10.64.16.73/32 { ... } [edit firewall family inet filter analytics-in4 term puppet from destination-address] 10.192.0.27/32 { ... } + /* puppetmaster2003 */ + 10.192.16.151/32; + /* puppetmaster2002 */ + 10.192.48.66/32; [edit firewall family inet filter analytics-in4 term apt from destination-address] ! 208.80.153.42/32 { ... } [edit firewall family inet filter analytics-in4 term webproxy from destination-address] + /* install3001 */ + 91.198.174.63/32; + /* install5001 */ + 103.102.166.13/32; + /* install4001 */ + 198.35.26.12/32; 208.80.153.51/32 { ... } [edit firewall family inet filter analytics-in4 term tftp from destination-address] + /* install3001 */ + 91.198.174.63/32; + /* install5001 */ + 103.102.166.13/32; + /* install4001 */ + 198.35.26.12/32; 208.80.153.51/32 { ... } [edit firewall family inet filter analytics-in4 term graphite from destination-address] - /* graphite1001 */ - 10.64.32.155/32; - /* graphite2001 */ - 10.192.16.33/32; [edit firewall family inet filter analytics-in4 term statsd from destination-address] - /* graphite1001 */ - 10.64.32.155/32; - /* graphite2001 */ - 10.192.16.33/32; [edit firewall family inet filter analytics-in4 term mysql-dbstore from] - destination-port [ 3311-3318 3320 3350 ]; + destination-port [ 3311-3320 3350 ]; [edit firewall family inet filter analytics-in4 term mysql-sqoop from] - destination-port 3311-3318; + destination-port 3311-3320; [edit firewall family inet filter analytics-in4 term ssh from destination-address] - /* dubnium */ - 208.80.154.13/32; - /* aluminium, cobalt */ - 208.80.154.80/31; [edit firewall family inet filter analytics-in4 term rsync-http-https from destination-address] - /* dubnium */ - 208.80.154.13/32; - /* aluminium, cobalt */ - 208.80.154.80/31; [edit firewall family inet filter analytics-in4 term kafka from destination-address] + /* logstash1020 */ + 10.64.0.11/32; + /* logstash1007 */ + 10.64.0.37/32; + /* logstash1033 */ + 10.64.0.87/32; + /* logstash1008 */ + 10.64.0.90/32; 10.64.0.175/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.0.181/32 { ... } + /* logstash1023 */ + 10.64.0.183/32; + /* logstash1024 */ + 10.64.0.184/32; + /* logstash1026 */ + 10.64.0.197/32; 10.64.0.200/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.16.37/32 { ... } + /* logstash1021 */ + 10.64.16.41/32; 10.64.16.99/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.16.99/32 { ... } + /* logstash1032 */ + 10.64.16.143/32; + /* logstash1027 */ + 10.64.16.169/32; + /* logstash1009 */ + 10.64.32.27/32; 10.64.32.90/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.90/32 { ... } + /* logstash1025 */ + 10.64.32.96/32; + /* logstash1028 */ + 10.64.32.104/32; 10.64.32.106/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.106/32 { ... } + /* logstash1034 */ + 10.64.32.112/32; + /* logstash1022 */ + 10.64.32.127/32; 10.64.32.159/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.32.160/32 { ... } + /* logstash1030 */ + 10.64.48.22/32; + /* logstash1031 */ + 10.64.48.25/32; + /* kafka-main1004, kafka-main1005 */ + 10.64.48.30/31; + /* logstash1035 */ + 10.64.48.60/32; 10.64.48.117/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.48.117/32 { ... } + /* logstash1029, kafka-jumbo1008 */ + 10.64.48.120/31; 10.64.48.140/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.64.48.177/32 { ... } + /* logstash2033, kafka-main2001 */ + 10.192.0.16/31; + /* logstash2004 */ + 10.192.0.111/32; + /* logstash2001 */ + 10.192.0.112/32; + /* logstash2020 */ + 10.192.0.139/32; + /* logstash2023 */ + 10.192.0.153/32; + /* logstash2026 */ + 10.192.0.159/32; 10.192.16.8/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.192.16.8/32 { ... } + /* logstash2034 */ + 10.192.16.30/32; + /* logstash2005, logstash2006 */ + 10.192.16.92/31; + /* logstash2024 */ + 10.192.16.145/32; + /* logstash2025 */ + 10.192.16.146/32; + /* logstash2027 */ + 10.192.16.150/32; + /* logstash2021 */ + 10.192.16.169/32; + /* logstash2035 */ + 10.192.32.28/32; 10.192.32.136/32 { ... } [edit firewall family inet filter analytics-in4 term kafka from destination-address] 10.192.32.136/32 { ... } + /* logstash2022 */ + 10.192.32.150/32; + /* logstash2002 */ + 10.192.32.180/32; + /* logstash2028 */ + 10.192.32.189/32; + /* kafka-main2004 */ + 10.192.48.38/32; + /* kafka-main2005 */ + 10.192.48.46/32; + /* logstash2003 */ + 10.192.48.131/32; + /* logstash2030 */ + 10.192.48.136/32; + /* logstash2029 */ + 10.192.48.140/32; + /* logstash2031 */ + 10.192.48.158/32; - /* kafka-main2001 */ - 10.192.0.17/32; - /* kafka-jumbo1008 */ - 10.64.48.121/32; [edit firewall family inet filter analytics-in4 term bacula from destination-address] + /* backup1003 */ + 10.64.16.107/32; + /* backup1002 */ + 10.64.32.107/32; 10.64.48.36/32 { ... } [edit firewall family inet filter analytics-in4 term bacula from destination-address] 10.64.48.36/32 { ... } + /* backup2002 */ + 10.192.0.190/32; + /* backup2003 */ + 10.192.32.35/32; 10.192.48.116/32 { ... } [edit firewall family inet filter analytics-in4 term bacula from destination-address] - /* helium */ - 10.64.0.179/32; [edit firewall family inet filter analytics-in4 term aqs from destination-address] + /* aqs1010 */ + 10.64.0.40/32; + /* aqs1010 */ + 10.64.0.88/32; 10.64.0.107/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.0.107/32 { ... } + /* aqs1010 */ + 10.64.0.120/32; [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.16.78/32 { ... } + /* aqs1011 */ + 10.64.16.201/32; + /* aqs1011 */ + 10.64.16.204/32; + /* aqs1011 */ + 10.64.16.206/32; + /* aqs1012 */ + 10.64.32.16/32; + /* aqs1012 */ + 10.64.32.128/32; + /* aqs1013 */ + 10.64.32.136/32; 10.64.32.138/32 { ... } [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.32.138/32 { ... } + /* aqs1012 */ + 10.64.32.145/32; + /* aqs1013 */ + 10.64.32.146/31; [edit firewall family inet filter analytics-in4 term aqs from destination-address] 10.64.32.190/32 { ... } + /* aqs1014, aqs1015 */ + 10.64.48.62/31; + /* aqs1014 */ + 10.64.48.65/32; + /* aqs1014 */ + 10.64.48.67/32; + /* aqs1015 */ + 10.64.48.68/31; 10.64.48.119/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.64.0.17/32 { ... } + /* wdqs1006 */ + 10.64.0.109/32; + /* wdqs1011 */ + 10.64.0.203/32; + /* wdqs1007 */ + 10.64.16.10/32; + /* wdqs1009 */ + 10.64.16.15/32; + /* wdqs1012 */ + 10.64.16.170/32; + /* wdqs1010 */ + 10.64.32.63/32; + /* wdqs1013 */ + 10.64.32.105/32; + /* wdqs1008 */ + 10.64.48.24/32; 10.64.48.46/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.64.48.46/32 { ... } + /* wdqs2004 */ + 10.192.0.20/32; 10.192.0.29/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.0.29/32 { ... } + /* wdqs2005 */ + 10.192.16.4/32; + /* wdqs2007 */ + 10.192.16.156/32; 10.192.32.148/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.32.148/32 { ... } + /* wdqs2008 */ + 10.192.32.194/32; 10.192.48.65/32 { ... } [edit firewall family inet filter analytics-in4 term wdqs from destination-address] 10.192.48.65/32 { ... } + /* wdqs2006 */ + 10.192.48.92/32; [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.0.35/32 { ... } + /* druid1001 */ + 10.64.5.101/32; 10.64.16.171/32 { ... } [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.16.172/32 { ... } + /* druid1002 */ + 10.64.36.102/32; 10.64.48.171/32 { ... } [edit firewall family inet filter analytics-in4 term druid from destination-address] 10.64.48.227/32 { ... } + /* druid1003 */ + 10.64.53.103/32; [edit firewall family inet filter analytics-in4 term syslog from destination-address] - /* lithium */ - 10.64.32.154/32; [edit firewall family inet filter analytics-in4 term syslog-tls from destination-address] - /* lithium */ - 10.64.32.154/32; [edit firewall family inet filter analytics-in4 term scap from destination-address] - /* deploy1001 */ - 10.64.32.16/32; - /* deploy2001 */ - 10.192.32.24/32; [edit firewall family inet filter analytics-in4 term kerberos from destination-address] - /* kerberos1001 */ - 10.64.0.182/32;
v6
filter analytics-in6 { ... }
[edit firewall family inet6 filter analytics-in6]
term analytics-publicIP { ... }
! term mysql-replica { ... }
[edit firewall family inet6 filter analytics-in6]
term gerrit { ... }
! term bacula { ... }
[edit firewall family inet6 filter analytics-in6 term puppet from destination-address]
2620:0:860:101:10:192:0:27/128 { ... }
+ /* puppetmaster2003 */
+ 2620:0:860:102:10:192:16:151/128;
+ /* puppetmaster2002 */
+ 2620:0:860:104:10:192:48:66/128;
+ /* puppetmaster1003 */
+ 2620:0:861:102:10:64:16:36/128;
2620:0:861:102:10:64:16:73/128 { ... }
[edit firewall family inet6 filter analytics-in6 term apt from destination-address]
! 2620:0:860:2:208:80:153:42/128 { ... }
[edit firewall family inet6 filter analytics-in6 term webproxy from destination-address]
+ /* install5001 */
+ 2001:df2:e500:1:103:102:166:13/128;
2620:0:860:2:208:80:153:51/128 { ... }
[edit firewall family inet6 filter analytics-in6 term webproxy from destination-address]
2620:0:861:1:208:80:154:32/128 { ... }
+ /* install3001 */
+ 2620:0:862:1:91:198:174:63/128;
+ /* install4001 */
+ 2620:0:863:1:198:35:26:12/128;
[edit firewall family inet6 filter analytics-in6]
term icinga { ... }
+ term ldap {
+ from {
+ destination-address {
+ /* serpens */
+ 2620:0:860:2:208:80:153:49/128;
+ /* seaborgium */
+ 2620:0:861:3:208:80:154:79/128;
+ }
+ next-header tcp;
+ destination-port [ 389 636 ];
+ }
+ then accept;
+ }
term tftp { ... }
[edit firewall family inet6 filter analytics-in6 term tftp from destination-address]
+ /* install5001 */
+ 2001:df2:e500:1:103:102:166:13/128;
2620:0:860:2:208:80:153:51/128 { ... }
[edit firewall family inet6 filter analytics-in6 term tftp from destination-address]
2620:0:861:1:208:80:154:32/128 { ... }
+ /* install3001 */
+ 2620:0:862:1:91:198:174:63/128;
+ /* install4001 */
+ 2620:0:863:1:198:35:26:12/128;
[edit firewall family inet6 filter analytics-in6 term analytics-publicIP from destination-address]
+ /* labstore1006 */
+ 2620:0:861:1:208:80:154:7/128;
- /* dataset1001 */
+ /* cloudservices1004 */
2620:0:861:1:208:80:154:11/128 { ... }
[edit firewall family inet6 filter analytics-in6 term analytics-publicIP from destination-address]
2620:0:861:1:208:80:154:32/128 { ... }
+ /* labstore1007 */
+ 2620:0:861:4:208:80:155:106/128;
[edit firewall family inet6 filter analytics-in6]
term analytics-publicIP { ... }
+ term graphite {
+ from {
+ destination-address {
+ /* graphite2003 */
+ 2620:0:860:101:10:192:0:102/128;
+ /* graphite1004 */
+ 2620:0:861:102:10:64:16:149/128;
+ }
+ next-header [ tcp udp ];
+ destination-port 2003;
+ }
+ then accept;
+ }
+ term statsd {
+ from {
+ destination-address {
+ /* graphite2003 */
+ 2620:0:860:101:10:192:0:102/128;
+ /* graphite1004 */
+ 2620:0:861:102:10:64:16:149/128;
+ }
+ next-header udp;
+ destination-port 8125;
+ }
+ then accept;
+ }
+ term mysql-dbstore {
+ from {
+ destination-address {
+ /* dbstore1003 */
+ 2620:0:861:101:10:64:0:137/128;
+ /* dbstore1004 */
+ 2620:0:861:102:10:64:16:26/128;
+ /* dbstore1005 */
+ 2620:0:861:103:10:64:32:30/128;
+ }
+ next-header tcp;
+ destination-port [ 3311-3320 3350 ];
+ }
+ then accept;
+ }
term mysql-replica { ... }
[edit firewall family inet6 filter analytics-in6 term mysql-replica from]
- destination-port [ 3351 3352 ];
+ destination-port 3351-3352;
[edit firewall family inet6 filter analytics-in6]
term mysql-replica { ... }
+ term mysql-dbproxy {
+ from {
+ destination-address {
+ /* dbproxy1013 */
+ 2620:0:861:101:10:64:0:135/128;
+ /* dbproxy1015 */
+ 2620:0:861:102:10:64:16:19/128;
+ }
+ next-header tcp;
+ destination-port 3306;
+ }
+ then accept;
+ }
term ssh { ... }
[edit firewall family inet6 filter analytics-in6 term ssh from destination-address]
- /* aluminium, cobalt */
- 2620:0:861:3:208:80:154:80/127;
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
+ /* mwlog2001 */
+ 2620:0:860:103:10:192:32:131/128;
2620:0:861:1:208:80:154:15/128 { ... }
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
2620:0:861:1:208:80:154:15/128 { ... }
+ /* ms-be1028 */
+ 2620:0:861:101:10:64:0:21/128;
+ /* mwlog1001 */
+ 2620:0:861:103:10:64:32:175/128;
2620:0:861:107:10:64:48:95/128 { ... }
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
- /* aluminium, cobalt */
- 2620:0:861:3:208:80:154:80/127;
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:860:103:10:192:32:136/128 { ... }
! 2620:0:861:101:10:64:0:175/128 { ... }
! 2620:0:861:101:10:64:0:176/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:102:10:64:16:37/128 { ... }
! 2620:0:861:102:10:64:16:99/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:103:10:64:32:90/128 { ... }
! 2620:0:861:103:10:64:32:106/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
+ /* logstash2033, kafka-main2001 */
+ 2620:0:860:101:10:192:0:16/127;
+ /* logstash2004 */
+ 2620:0:860:101:10:192:0:111/128;
+ /* logstash2001 */
+ 2620:0:860:101:10:192:0:112/128;
+ /* logstash2020 */
+ 2620:0:860:101:10:192:0:139/128;
+ /* logstash2023 */
+ 2620:0:860:101:10:192:0:153/128;
+ /* logstash2026 */
+ 2620:0:860:101:10:192:0:159/128;
2620:0:860:102:10:192:16:8/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:860:102:10:192:16:8/128 { ... }
+ /* logstash2034 */
+ 2620:0:860:102:10:192:16:30/128;
+ /* logstash2005, logstash2006 */
+ 2620:0:860:102:10:192:16:92/127;
+ /* logstash2024 */
+ 2620:0:860:102:10:192:16:145/128;
+ /* logstash2025 */
+ 2620:0:860:102:10:192:16:146/128;
+ /* logstash2027 */
+ 2620:0:860:102:10:192:16:150/128;
+ /* logstash2021 */
+ 2620:0:860:102:10:192:16:169/128;
+ /* logstash2035 */
+ 2620:0:860:103:10:192:32:28/128;
2620:0:860:103:10:192:32:136/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:860:103:10:192:32:136/128 { ... }
+ /* logstash2022 */
+ 2620:0:860:103:10:192:32:150/128;
+ /* logstash2002 */
+ 2620:0:860:103:10:192:32:180/128;
+ /* logstash2028 */
+ 2620:0:860:103:10:192:32:189/128;
+ /* kafka-main2004 */
+ 2620:0:860:104:10:192:48:38/128;
+ /* kafka-main2005 */
+ 2620:0:860:104:10:192:48:46/128;
+ /* logstash2003 */
+ 2620:0:860:104:10:192:48:131/128;
+ /* logstash2030 */
+ 2620:0:860:104:10:192:48:136/128;
+ /* logstash2029 */
+ 2620:0:860:104:10:192:48:140/128;
+ /* logstash2031 */
+ 2620:0:860:104:10:192:48:158/128;
+ /* logstash1020 */
+ 2620:0:861:101:10:64:0:11/128;
+ /* logstash1007 */
+ 2620:0:861:101:10:64:0:37/128;
+ /* logstash1033 */
+ 2620:0:861:101:10:64:0:87/128;
+ /* logstash1008 */
+ 2620:0:861:101:10:64:0:90/128;
2620:0:861:101:10:64:0:175/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:101:10:64:0:176/128 { ... }
+ /* logstash1010 */
+ 2620:0:861:101:10:64:0:181/128;
+ /* logstash1023 */
+ 2620:0:861:101:10:64:0:183/128;
+ /* logstash1024 */
+ 2620:0:861:101:10:64:0:184/128;
+ /* logstash1026 */
+ 2620:0:861:101:10:64:0:197/128;
2620:0:861:101:10:64:0:200/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:101:10:64:0:200/128 { ... }
+ /* logstash1011 */
+ 2620:0:861:102:10:64:16:30/128;
2620:0:861:102:10:64:16:37/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:102:10:64:16:37/128 { ... }
+ /* logstash1021 */
+ 2620:0:861:102:10:64:16:41/128;
2620:0:861:102:10:64:16:99/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:102:10:64:16:99/128 { ... }
+ /* logstash1032 */
+ 2620:0:861:102:10:64:16:143/128;
+ /* logstash1027 */
+ 2620:0:861:102:10:64:16:169/128;
+ /* logstash1009 */
+ 2620:0:861:103:10:64:32:27/128;
2620:0:861:103:10:64:32:90/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:103:10:64:32:90/128 { ... }
+ /* logstash1025 */
+ 2620:0:861:103:10:64:32:96/128;
+ /* logstash1028 */
+ 2620:0:861:103:10:64:32:104/128;
2620:0:861:103:10:64:32:106/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:103:10:64:32:106/128 { ... }
+ /* logstash1034 */
+ 2620:0:861:103:10:64:32:112/128;
+ /* logstash1022 */
+ 2620:0:861:103:10:64:32:127/128;
2620:0:861:103:10:64:32:159/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:103:10:64:32:160/128 { ... }
+ /* logstash1030 */
+ 2620:0:861:107:10:64:48:22/128;
+ /* logstash1031 */
+ 2620:0:861:107:10:64:48:25/128;
+ /* kafka-main1004, kafka-main1005 */
+ 2620:0:861:107:10:64:48:30/127;
+ /* logstash1035 */
+ 2620:0:861:107:10:64:48:60/128;
2620:0:861:107:10:64:48:117/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:107:10:64:48:117/128 { ... }
+ /* logstash1029, kafka-jumbo1008 */
+ 2620:0:861:107:10:64:48:120/127;
2620:0:861:107:10:64:48:140/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
2620:0:861:107:10:64:48:140/128 { ... }
+ /* logstash1012 */
+ 2620:0:861:107:10:64:48:177/128;
- /* kafka-main2001 */
- 2620:0:860:101:10:192:0:17/128;
- /* kafka-jumbo1008 */
- 2620:0:861:107:10:64:48:121/128;
[edit firewall family inet6 filter analytics-in6 term gerrit from destination-address]
- /* gerrit.wikimedia.org */
- 2620:0:861:2:208:80:154:137/128;
- /* gerrit2001 */
- 2620:0:860:4:208:80:153:106/128;
[edit firewall family inet6 filter analytics-in6 term gerrit from]
- destination-port [ 29418 443 ];
+ destination-port [ 443 29418 ];
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
! 2620:0:860:104:10:192:48:116/128 { ... }
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
+ /* backup2002 */
+ 2620:0:860:101:10:192:0:190/128;
+ /* backup2003 */
+ 2620:0:860:103:10:192:32:35/128;
2620:0:860:104:10:192:48:116/128 { ... }
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
2620:0:860:104:10:192:48:116/128 { ... }
+ /* backup1003 */
+ 2620:0:861:102:10:64:16:107/128;
+ /* backup1002 */
+ 2620:0:861:103:10:64:32:107/128;
2620:0:861:107:10:64:48:36/128 { ... }
[edit firewall family inet6 filter analytics-in6]
term bacula { ... }
+ term aqs {
+ from {
+ destination-address {
+ /* aqs1010 */
+ 2620:0:861:101:10:64:0:40/128;
+ /* aqs1004 */
+ 2620:0:861:101:10:64:0:107/128;
+ /* aqs1007 */
+ 2620:0:861:101:10:64:0:199/128;
+ /* aqs1008 */
+ 2620:0:861:102:10:64:16:14/128;
+ /* aqs1011 */
+ 2620:0:861:102:10:64:16:201/128;
+ /* aqs1012 */
+ 2620:0:861:103:10:64:32:16/128;
+ /* aqs1013 */
+ 2620:0:861:103:10:64:32:136/128;
+ /* aqs1005 */
+ 2620:0:861:103:10:64:32:138/128;
+ /* aqs1014, aqs1015 */
+ 2620:0:861:107:10:64:48:62/127;
+ /* aqs1009 */
+ 2620:0:861:107:10:64:48:119/128;
+ /* aqs1006 */
+ 2620:0:861:107:10:64:48:146/128;
+ }
+ next-header tcp;
+ destination-port 9042;
+ }
+ then accept;
+ }
+ term wdqs {
+ from {
+ destination-address {
+ /* wdqs2004 */
+ 2620:0:860:101:10:192:0:20/128;
+ /* wdqs2003 */
+ 2620:0:860:101:10:192:0:29/128;
+ /* wdqs2005 */
+ 2620:0:860:102:10:192:16:4/128;
+ /* wdqs2007 */
+ 2620:0:860:102:10:192:16:156/128;
+ /* wdqs2007 */
+ 2620:0:860:102:4ed9:8fff:feaf:2d85/128;
+ /* wdqs2001 */
+ 2620:0:860:103:10:192:32:148/128;
+ /* wdqs2008 */
+ 2620:0:860:103:10:192:32:194/128;
+ /* wdqs2008 */
+ 2620:0:860:103:4ed9:8fff:feaf:35df/128;
+ /* wdqs2002 */
+ 2620:0:860:104:10:192:48:65/128;
+ /* wdqs2006 */
+ 2620:0:860:104:10:192:48:92/128;
+ /* wdqs1003 */
+ 2620:0:861:101:10:64:0:14/128;
+ /* wdqs1004 */
+ 2620:0:861:101:10:64:0:17/128;
+ /* wdqs1006 */
+ 2620:0:861:101:10:64:0:109/128;
+ /* wdqs1011 */
+ 2620:0:861:101:10:64:0:203/128;
+ /* wdqs1007 */
+ 2620:0:861:102:10:64:16:10/128;
+ /* wdqs1009 */
+ 2620:0:861:102:10:64:16:15/128;
+ /* wdqs1012 */
+ 2620:0:861:102:10:64:16:170/128;
+ /* wdqs1010 */
+ 2620:0:861:103:10:64:32:63/128;
+ /* wdqs1013 */
+ 2620:0:861:103:10:64:32:105/128;
+ /* wdqs1008 */
+ 2620:0:861:107:10:64:48:24/128;
+ /* wdqs1005 */
+ 2620:0:861:107:10:64:48:46/128;
+ }
+ next-header tcp;
+ destination-port 8888;
+ }
+ then accept;
+ }
term icmp6 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
2620:0:861:101:10:64:0:35/128 { ... }
! 2620:0:861:102:10:64:16:171/128 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
2620:0:861:102:10:64:16:172/128 { ... }
+ /* druid1001 */
+ 2620:0:861:104:10:64:5:101/128;
+ /* druid1002 */
+ 2620:0:861:106:10:64:36:102/128;
2620:0:861:107:10:64:48:171/128 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
2620:0:861:107:10:64:48:227/128 { ... }
+ /* druid1003 */
+ 2620:0:861:108:10:64:53:103/128;
[edit firewall family inet6 filter analytics-in6]
term druid { ... }
+ /*
+ ** T177821
+ */
+ term syslog {
+ from {
+ destination-address {
+ /* centrallog2001 */
+ 2620:0:860:104:10:192:48:64/128;
+ /* centrallog1001 */
+ 2620:0:861:107:10:64:48:113/128;
+ }
+ next-header udp;
+ destination-port 514;
+ }
+ then accept;
+ }
+ /*
+ ** T177821
+ */
+ term syslog-tls {
+ from {
+ destination-address {
+ /* centrallog2001 */
+ 2620:0:860:104:10:192:48:64/128;
+ /* centrallog1001 */
+ 2620:0:861:107:10:64:48:113/128;
+ }
+ next-header tcp;
+ destination-port 6514;
+ }
+ then accept;
+ }
+ /*
+ ** T261489
+ */
+ term debmonitor {
+ from {
+ destination-address {
+ /* debmonitor2002 */
+ 2620:0:860:103:10:192:32:42/128;
+ /* debmonitor1002 */
+ 2620:0:861:102:10:64:16:72/128;
+ }
+ next-header tcp;
+ destination-port 443;
+ }
+ then accept;
+ }
term scap { ... }
[edit firewall family inet6 filter analytics-in6 term scap from destination-address]
! 2620:0:860:103:10:192:32:7/128 { ... }
[edit firewall family inet6 filter analytics-in6 term scap from destination-address]
- /* deploy2001 */
- 2620:0:860:103:10:192:32:24/128;
- /* deploy1001 */
- 2620:0:861:103:10:64:32:16/128;
[edit firewall family inet6 filter analytics-in6 term kerberos from destination-address]
! 2620:0:860:104:10:192:48:135/128 { ... }
[edit firewall family inet6 filter analytics-in6 term idp from destination-address]
- /* idp2001.wikimedia.org */
+ /* idp2001 */
2620:0:860:1:208:80:153:23/128 { ... }
[edit firewall family inet6 filter analytics-in6 term idp from destination-address]
- /* idp1001.wikimedia.org */
+ /* idp1001 */
2620:0:861:1:208:80:154:26/128 { ... }