Page MenuHomePhabricator

Audit analytics firewall filters
Closed, ResolvedPublic

Description

While working on Capirca I noticed that the analytics-in firewall filters contained outdated hosts.

Here is the current diff using Capirca. Let me know if something needs to change or if it can be (carefully) merged as it.

analytics-in4
[edit firewall family inet filter analytics-in4 term puppet from destination-address]
+        /* puppetmaster1003 */
+        10.64.16.36/32;
         10.64.16.73/32 { ... }
[edit firewall family inet filter analytics-in4 term puppet from destination-address]
         10.192.0.27/32 { ... }
+        /* puppetmaster2003 */
+        10.192.16.151/32;
+        /* puppetmaster2002 */
+        10.192.48.66/32;
[edit firewall family inet filter analytics-in4 term apt from destination-address]
!        208.80.153.42/32 { ... }
[edit firewall family inet filter analytics-in4 term webproxy from destination-address]
+        /* install3001 */
+        91.198.174.63/32;
+        /* install5001 */
+        103.102.166.13/32;
+        /* install4001 */
+        198.35.26.12/32;
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term ldap from destination-address]
-        /* ldap-ro */
+        /* ldap-ro.eqiad */
         208.80.154.252/32 { ... }
[edit firewall family inet filter analytics-in4 term tftp from destination-address]
+        /* install3001 */
+        91.198.174.63/32;
+        /* install5001 */
+        103.102.166.13/32;
+        /* install4001 */
+        198.35.26.12/32;
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term analytics-publicIP from destination-address]
-        /* dataset1001 */
+        /* cloudservices1004 */
         208.80.154.11/32 { ... }
[edit firewall family inet filter analytics-in4 term graphite from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
[edit firewall family inet filter analytics-in4 term statsd from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
[edit firewall family inet filter analytics-in4 term mysql-dbstore from]
-       destination-port [ 3311-3318 3320 3350 ];
+       destination-port [ 3311-3320 3350 ];
[edit firewall family inet filter analytics-in4 term mysql-sqoop from]
-       destination-port 3311-3318;
+       destination-port 3311-3320;
[edit firewall family inet filter analytics-in4 term mysql-replica from]
-       destination-port [ 3351 3352 ];
+       destination-port 3351-3352;
[edit firewall family inet filter analytics-in4 term ssh from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
[edit firewall family inet filter analytics-in4 term rsync-http-https from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
!        10.64.0.175/32 { ... }
!        10.64.0.176/32 { ... }
!        10.64.0.181/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
        10.64.0.200/32 { ... }
!        10.64.16.30/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
        10.64.16.37/32 { ... }
!        10.64.16.99/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
        10.64.32.90/32 { ... }
!        10.64.32.106/32 { ... }
!        10.64.32.159/32 { ... }
!        10.64.32.160/32 { ... }
!        10.64.48.117/32 { ... }
!        10.64.48.140/32 { ... }
!        10.64.48.177/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
+        /* logstash1020 */
+        10.64.0.11/32;
+        /* logstash1007 */
+        10.64.0.37/32;
+        /* logstash1033 */
+        10.64.0.87/32;
+        /* logstash1008 */
+        10.64.0.90/32;
         10.64.0.175/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.0.181/32 { ... }
+        /* logstash1023 */
+        10.64.0.183/32;
+        /* logstash1024 */
+        10.64.0.184/32;
+        /* logstash1026 */
+        10.64.0.197/32;
         10.64.0.200/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.37/32 { ... }
+        /* logstash1021 */
+        10.64.16.41/32;
         10.64.16.99/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.99/32 { ... }
+        /* logstash1032 */
+        10.64.16.143/32;
+        /* logstash1027 */
+        10.64.16.169/32;
+        /* logstash1009 */
+        10.64.32.27/32;
         10.64.32.90/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.90/32 { ... }
+        /* logstash1025 */
+        10.64.32.96/32;
+        /* logstash1028 */
+        10.64.32.104/32;
         10.64.32.106/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.106/32 { ... }
+        /* logstash1034 */
+        10.64.32.112/32;
+        /* logstash1022 */
+        10.64.32.127/32;
         10.64.32.159/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.160/32 { ... }
+        /* logstash1030 */
+        10.64.48.22/32;
+        /* logstash1031 */
+        10.64.48.25/32;
+        /* kafka-main1004, kafka-main1005 */
+        10.64.48.30/31;
+        /* logstash1035 */
+        10.64.48.60/32;
         10.64.48.117/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.117/32 { ... }
+        /* logstash1029, kafka-jumbo1008 */
+        10.64.48.120/31;
         10.64.48.140/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.177/32 { ... }
+        /* logstash2033, kafka-main2001 */
+        10.192.0.16/31;
+        /* logstash2004 */
+        10.192.0.111/32;
+        /* logstash2001 */
+        10.192.0.112/32;
+        /* logstash2020 */
+        10.192.0.139/32;
+        /* logstash2023 */
+        10.192.0.153/32;
+        /* logstash2026 */
+        10.192.0.159/32;
         10.192.16.8/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.16.8/32 { ... }
+        /* logstash2034 */
+        10.192.16.30/32;
+        /* logstash2005, logstash2006 */
+        10.192.16.92/31;
+        /* logstash2024 */
+        10.192.16.145/32;
+        /* logstash2025 */
+        10.192.16.146/32;
+        /* logstash2027 */
+        10.192.16.150/32;
+        /* logstash2021 */
+        10.192.16.169/32;
+        /* logstash2035 */
+        10.192.32.28/32;
         10.192.32.136/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.32.136/32 { ... }
+        /* logstash2022 */
+        10.192.32.150/32;
+        /* logstash2002 */
+        10.192.32.180/32;
+        /* logstash2028 */
+        10.192.32.189/32;
+        /* kafka-main2004 */
+        10.192.48.38/32;
+        /* kafka-main2005 */
+        10.192.48.46/32;
+        /* logstash2003 */
+        10.192.48.131/32;
+        /* logstash2030 */
+        10.192.48.136/32;
+        /* logstash2029 */
+        10.192.48.140/32;
+        /* logstash2031 */
+        10.192.48.158/32;
-        /* kafka-main2001 */
-        10.192.0.17/32;
-        /* kafka-jumbo1008 */
-        10.64.48.121/32;
[edit firewall family inet filter analytics-in4 term gerrit from destination-address]
-        /* gerrit2001 */
+        /* gerrit-replica.wikimedia.org */
         208.80.153.107/32 { ... }
[edit firewall family inet filter analytics-in4 term gerrit from destination-address]
         208.80.153.107/32 { ... }
+        /* gerrit1001, gerrit.wikimedia.org */
+        208.80.154.136/31;
-        /* gerrit.wikimedia.org */
-        208.80.154.137/32;
-        /* gerrit1001 */
-        208.80.154.136/32;
[edit firewall family inet filter analytics-in4 term gerrit from]
-       destination-port [ 29418 443 ];
+       destination-port [ 443 29418 ];
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
+        /* backup1003 */
+        10.64.16.107/32;
+        /* backup1002 */
+        10.64.32.107/32;
         10.64.48.36/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
         10.64.48.36/32 { ... }
+        /* backup2002 */
+        10.192.0.190/32;
+        /* backup2003 */
+        10.192.32.35/32;
         10.192.48.116/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
-        /* helium */
-        10.64.0.179/32;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
+        /* aqs1010 */
+        10.64.0.40/32;
+        /* aqs1010 */
+        10.64.0.88/32;
         10.64.0.107/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.0.107/32 { ... }
+        /* aqs1010 */
+        10.64.0.120/32;
-        /* aqs1004-a, aqs1004-b */
+        /* aqs1004 */
         10.64.0.126/31 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1007-a */
+        /* aqs1007 */
         10.64.0.213/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1007-b */
+        /* aqs1007 */
         10.64.0.237/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1008-a */
+        /* aqs1008 */
         10.64.16.74/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1008-b */
+        /* aqs1008 */
         10.64.16.78/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.16.78/32 { ... }
+        /* aqs1011 */
+        10.64.16.201/32;
+        /* aqs1011 */
+        10.64.16.204/32;
+        /* aqs1011 */
+        10.64.16.206/32;
+        /* aqs1012 */
+        10.64.32.16/32;
+        /* aqs1012 */
+        10.64.32.128/32;
+        /* aqs1013 */
+        10.64.32.136/32;
         10.64.32.138/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.138/32 { ... }
+        /* aqs1012 */
+        10.64.32.145/32;
+        /* aqs1013 */
+        10.64.32.146/31;
-        /* aqs1005-a */
+        /* aqs1005 */
         10.64.32.189/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1005-b */
+        /* aqs1005 */
         10.64.32.190/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.190/32 { ... }
+        /* aqs1014, aqs1015 */
+        10.64.48.62/31;
+        /* aqs1014 */
+        10.64.48.65/32;
+        /* aqs1014 */
+        10.64.48.67/32;
+        /* aqs1015 */
+        10.64.48.68/31;
         10.64.48.119/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1009-a, aqs1009-b */
+        /* aqs1009 */
         10.64.48.122/31 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
-        /* aqs1006-a, aqs1006-b */
+        /* aqs1006 */
         10.64.48.148/31 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
!        10.2.2.32/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.0.17/32 { ... }
+        /* wdqs1006 */
+        10.64.0.109/32;
+        /* wdqs1011 */
+        10.64.0.203/32;
+        /* wdqs1007 */
+        10.64.16.10/32;
+        /* wdqs1009 */
+        10.64.16.15/32;
+        /* wdqs1012 */
+        10.64.16.170/32;
+        /* wdqs1010 */
+        10.64.32.63/32;
+        /* wdqs1013 */
+        10.64.32.105/32;
+        /* wdqs1008 */
+        10.64.48.24/32;
         10.64.48.46/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.48.46/32 { ... }
+        /* wdqs2004 */
+        10.192.0.20/32;
         10.192.0.29/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.0.29/32 { ... }
+        /* wdqs2005 */
+        10.192.16.4/32;
+        /* wdqs2007 */
+        10.192.16.156/32;
         10.192.32.148/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.32.148/32 { ... }
+        /* wdqs2008 */
+        10.192.32.194/32;
         10.192.48.65/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.48.65/32 { ... }
+        /* wdqs2006 */
+        10.192.48.92/32;
[edit firewall family inet filter analytics-in4 term druid from destination-address]
        10.64.0.35/32 { ... }
!        10.64.16.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.0.35/32 { ... }
+        /* druid1001 */
+        10.64.5.101/32;
         10.64.16.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.16.172/32 { ... }
+        /* druid1002 */
+        10.64.36.102/32;
         10.64.48.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.48.227/32 { ... }
+        /* druid1003 */
+        10.64.53.103/32;
[edit firewall family inet filter analytics-in4 term syslog from destination-address]
-        /* wezen */
+        /* centrallog2001 */
         10.192.48.64/32 { ... }
[edit firewall family inet filter analytics-in4 term syslog from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term syslog-tls from destination-address]
-        /* wezen */
+        /* centrallog2001 */
         10.192.48.64/32 { ... }
[edit firewall family inet filter analytics-in4 term syslog-tls from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term scap from destination-address]
-        /* deploy1001 */
-        10.64.32.16/32;
-        /* deploy2001 */
-        10.192.32.24/32;
[edit firewall family inet filter analytics-in4 term swift from destination-address]
        10.2.1.27/32 { ... }
!        10.2.1.54/32 { ... }
[edit firewall family inet filter analytics-in4 term swift from destination-address]
-        /* swift.svc.codfw */
+        /* ms-fe.svc.codfw.wmnet */
         10.2.1.27/32 { ... }
[edit firewall family inet filter analytics-in4 term swift from destination-address]
-        /* swift.svc.eqiad */
+        /* ms-fe.svc.eqiad.wmnet */
         10.2.2.27/32 { ... }
[edit firewall family inet filter analytics-in4 term schema from destination-address]
-        /* schema.svc.codfw */
+        /* schema.svc.codfw.wmnet */
         10.2.1.43/32 { ... }
[edit firewall family inet filter analytics-in4 term schema from destination-address]
-        /* schema.svc.eqiad */
+        /* schema.svc.eqiad.wmnet */
         10.2.2.43/32 { ... }
[edit firewall family inet filter analytics-in4 term kerberos from destination-address]
-        /* kerberos1001 */
-        10.64.0.182/32;
[edit firewall family inet filter analytics-in4 term eventgate-analytics from destination-address]
!        10.2.1.42/32 { ... }
[edit firewall family inet filter analytics-in4 term eventgate-main from destination-address]
!        10.2.1.45/32 { ... }
[edit firewall family inet filter analytics-in4 term eventgate-logging-ext from destination-address]
!        10.2.1.50/32 { ... }
[edit firewall family inet filter analytics-in4 term eventgate-analytics-ext from destination-address]
!        10.2.1.52/32 { ... }
[edit firewall family inet filter analytics-in4 term idp from destination-address]
-        /* idp2001.wikimedia.org */
+        /* idp2001 */
         208.80.153.23/32 { ... }
[edit firewall family inet filter analytics-in4 term idp from destination-address]
-        /* idp1001.wikimedia.org */
+        /* idp1001 */
         208.80.154.26/32 { ... }
[edit firewall family inet filter analytics-in4 term mediawiki-api from destination-address]
!        10.2.1.22/32 { ... }
[edit firewall family inet filter analytics-in4 term mediawiki-api from]
-       destination-port [ 443 80 ];
+       destination-port [ 80 443 ];

The same, removing the obvious OK lines (eg. description change, ordering, etc):

analytics-in4 cleaned
[edit firewall family inet filter analytics-in4 term puppet from destination-address]
+        /* puppetmaster1003 */
+        10.64.16.36/32;
         10.64.16.73/32 { ... }
[edit firewall family inet filter analytics-in4 term puppet from destination-address]
         10.192.0.27/32 { ... }
+        /* puppetmaster2003 */
+        10.192.16.151/32;
+        /* puppetmaster2002 */
+        10.192.48.66/32;
[edit firewall family inet filter analytics-in4 term apt from destination-address]
!        208.80.153.42/32 { ... }
[edit firewall family inet filter analytics-in4 term webproxy from destination-address]
+        /* install3001 */
+        91.198.174.63/32;
+        /* install5001 */
+        103.102.166.13/32;
+        /* install4001 */
+        198.35.26.12/32;
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term tftp from destination-address]
+        /* install3001 */
+        91.198.174.63/32;
+        /* install5001 */
+        103.102.166.13/32;
+        /* install4001 */
+        198.35.26.12/32;
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term graphite from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
[edit firewall family inet filter analytics-in4 term statsd from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
[edit firewall family inet filter analytics-in4 term mysql-dbstore from]
-       destination-port [ 3311-3318 3320 3350 ];
+       destination-port [ 3311-3320 3350 ];
[edit firewall family inet filter analytics-in4 term mysql-sqoop from]
-       destination-port 3311-3318;
+       destination-port 3311-3320;
[edit firewall family inet filter analytics-in4 term ssh from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
[edit firewall family inet filter analytics-in4 term rsync-http-https from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
+        /* logstash1020 */
+        10.64.0.11/32;
+        /* logstash1007 */
+        10.64.0.37/32;
+        /* logstash1033 */
+        10.64.0.87/32;
+        /* logstash1008 */
+        10.64.0.90/32;
         10.64.0.175/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.0.181/32 { ... }
+        /* logstash1023 */
+        10.64.0.183/32;
+        /* logstash1024 */
+        10.64.0.184/32;
+        /* logstash1026 */
+        10.64.0.197/32;
         10.64.0.200/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.37/32 { ... }
+        /* logstash1021 */
+        10.64.16.41/32;
         10.64.16.99/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.99/32 { ... }
+        /* logstash1032 */
+        10.64.16.143/32;
+        /* logstash1027 */
+        10.64.16.169/32;
+        /* logstash1009 */
+        10.64.32.27/32;
         10.64.32.90/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.90/32 { ... }
+        /* logstash1025 */
+        10.64.32.96/32;
+        /* logstash1028 */
+        10.64.32.104/32;
         10.64.32.106/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.106/32 { ... }
+        /* logstash1034 */
+        10.64.32.112/32;
+        /* logstash1022 */
+        10.64.32.127/32;
         10.64.32.159/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.160/32 { ... }
+        /* logstash1030 */
+        10.64.48.22/32;
+        /* logstash1031 */
+        10.64.48.25/32;
+        /* kafka-main1004, kafka-main1005 */
+        10.64.48.30/31;
+        /* logstash1035 */
+        10.64.48.60/32;
         10.64.48.117/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.117/32 { ... }
+        /* logstash1029, kafka-jumbo1008 */
+        10.64.48.120/31;
         10.64.48.140/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.177/32 { ... }
+        /* logstash2033, kafka-main2001 */
+        10.192.0.16/31;
+        /* logstash2004 */
+        10.192.0.111/32;
+        /* logstash2001 */
+        10.192.0.112/32;
+        /* logstash2020 */
+        10.192.0.139/32;
+        /* logstash2023 */
+        10.192.0.153/32;
+        /* logstash2026 */
+        10.192.0.159/32;
         10.192.16.8/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.16.8/32 { ... }
+        /* logstash2034 */
+        10.192.16.30/32;
+        /* logstash2005, logstash2006 */
+        10.192.16.92/31;
+        /* logstash2024 */
+        10.192.16.145/32;
+        /* logstash2025 */
+        10.192.16.146/32;
+        /* logstash2027 */
+        10.192.16.150/32;
+        /* logstash2021 */
+        10.192.16.169/32;
+        /* logstash2035 */
+        10.192.32.28/32;
         10.192.32.136/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.32.136/32 { ... }
+        /* logstash2022 */
+        10.192.32.150/32;
+        /* logstash2002 */
+        10.192.32.180/32;
+        /* logstash2028 */
+        10.192.32.189/32;
+        /* kafka-main2004 */
+        10.192.48.38/32;
+        /* kafka-main2005 */
+        10.192.48.46/32;
+        /* logstash2003 */
+        10.192.48.131/32;
+        /* logstash2030 */
+        10.192.48.136/32;
+        /* logstash2029 */
+        10.192.48.140/32;
+        /* logstash2031 */
+        10.192.48.158/32;
-        /* kafka-main2001 */
-        10.192.0.17/32;
-        /* kafka-jumbo1008 */
-        10.64.48.121/32;
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
+        /* backup1003 */
+        10.64.16.107/32;
+        /* backup1002 */
+        10.64.32.107/32;
         10.64.48.36/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
         10.64.48.36/32 { ... }
+        /* backup2002 */
+        10.192.0.190/32;
+        /* backup2003 */
+        10.192.32.35/32;
         10.192.48.116/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
-        /* helium */
-        10.64.0.179/32;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
+        /* aqs1010 */
+        10.64.0.40/32;
+        /* aqs1010 */
+        10.64.0.88/32;
         10.64.0.107/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.0.107/32 { ... }
+        /* aqs1010 */
+        10.64.0.120/32;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.16.78/32 { ... }
+        /* aqs1011 */
+        10.64.16.201/32;
+        /* aqs1011 */
+        10.64.16.204/32;
+        /* aqs1011 */
+        10.64.16.206/32;
+        /* aqs1012 */
+        10.64.32.16/32;
+        /* aqs1012 */
+        10.64.32.128/32;
+        /* aqs1013 */
+        10.64.32.136/32;
         10.64.32.138/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.138/32 { ... }
+        /* aqs1012 */
+        10.64.32.145/32;
+        /* aqs1013 */
+        10.64.32.146/31;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.190/32 { ... }
+        /* aqs1014, aqs1015 */
+        10.64.48.62/31;
+        /* aqs1014 */
+        10.64.48.65/32;
+        /* aqs1014 */
+        10.64.48.67/32;
+        /* aqs1015 */
+        10.64.48.68/31;
         10.64.48.119/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.0.17/32 { ... }
+        /* wdqs1006 */
+        10.64.0.109/32;
+        /* wdqs1011 */
+        10.64.0.203/32;
+        /* wdqs1007 */
+        10.64.16.10/32;
+        /* wdqs1009 */
+        10.64.16.15/32;
+        /* wdqs1012 */
+        10.64.16.170/32;
+        /* wdqs1010 */
+        10.64.32.63/32;
+        /* wdqs1013 */
+        10.64.32.105/32;
+        /* wdqs1008 */
+        10.64.48.24/32;
         10.64.48.46/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.48.46/32 { ... }
+        /* wdqs2004 */
+        10.192.0.20/32;
         10.192.0.29/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.0.29/32 { ... }
+        /* wdqs2005 */
+        10.192.16.4/32;
+        /* wdqs2007 */
+        10.192.16.156/32;
         10.192.32.148/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.32.148/32 { ... }
+        /* wdqs2008 */
+        10.192.32.194/32;
         10.192.48.65/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.48.65/32 { ... }
+        /* wdqs2006 */
+        10.192.48.92/32;
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.0.35/32 { ... }
+        /* druid1001 */
+        10.64.5.101/32;
         10.64.16.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.16.172/32 { ... }
+        /* druid1002 */
+        10.64.36.102/32;
         10.64.48.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.48.227/32 { ... }
+        /* druid1003 */
+        10.64.53.103/32;
[edit firewall family inet filter analytics-in4 term syslog from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term syslog-tls from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term scap from destination-address]
-        /* deploy1001 */
-        10.64.32.16/32;
-        /* deploy2001 */
-        10.192.32.24/32;
[edit firewall family inet filter analytics-in4 term kerberos from destination-address]
-        /* kerberos1001 */
-        10.64.0.182/32;
v6
      filter analytics-in6 { ... }
[edit firewall family inet6 filter analytics-in6]
      term analytics-publicIP { ... }
!      term mysql-replica { ... }
[edit firewall family inet6 filter analytics-in6]
      term gerrit { ... }
!      term bacula { ... }
[edit firewall family inet6 filter analytics-in6 term puppet from destination-address]
         2620:0:860:101:10:192:0:27/128 { ... }
+        /* puppetmaster2003 */
+        2620:0:860:102:10:192:16:151/128;
+        /* puppetmaster2002 */
+        2620:0:860:104:10:192:48:66/128;
+        /* puppetmaster1003 */
+        2620:0:861:102:10:64:16:36/128;
         2620:0:861:102:10:64:16:73/128 { ... }
[edit firewall family inet6 filter analytics-in6 term apt from destination-address]
!        2620:0:860:2:208:80:153:42/128 { ... }
[edit firewall family inet6 filter analytics-in6 term webproxy from destination-address]
+        /* install5001 */
+        2001:df2:e500:1:103:102:166:13/128;
         2620:0:860:2:208:80:153:51/128 { ... }
[edit firewall family inet6 filter analytics-in6 term webproxy from destination-address]
         2620:0:861:1:208:80:154:32/128 { ... }
+        /* install3001 */
+        2620:0:862:1:91:198:174:63/128;
+        /* install4001 */
+        2620:0:863:1:198:35:26:12/128;
[edit firewall family inet6 filter analytics-in6]
       term icinga { ... }
+      term ldap {
+          from {
+              destination-address {
+                  /* serpens */
+                  2620:0:860:2:208:80:153:49/128;
+                  /* seaborgium */
+                  2620:0:861:3:208:80:154:79/128;
+              }
+              next-header tcp;
+              destination-port [ 389 636 ];
+          }
+          then accept;
+      }
       term tftp { ... }
[edit firewall family inet6 filter analytics-in6 term tftp from destination-address]
+        /* install5001 */
+        2001:df2:e500:1:103:102:166:13/128;
         2620:0:860:2:208:80:153:51/128 { ... }
[edit firewall family inet6 filter analytics-in6 term tftp from destination-address]
         2620:0:861:1:208:80:154:32/128 { ... }
+        /* install3001 */
+        2620:0:862:1:91:198:174:63/128;
+        /* install4001 */
+        2620:0:863:1:198:35:26:12/128;
[edit firewall family inet6 filter analytics-in6 term analytics-publicIP from destination-address]
+        /* labstore1006 */
+        2620:0:861:1:208:80:154:7/128;
-        /* dataset1001 */
+        /* cloudservices1004 */
         2620:0:861:1:208:80:154:11/128 { ... }
[edit firewall family inet6 filter analytics-in6 term analytics-publicIP from destination-address]
         2620:0:861:1:208:80:154:32/128 { ... }
+        /* labstore1007 */
+        2620:0:861:4:208:80:155:106/128;
[edit firewall family inet6 filter analytics-in6]
       term analytics-publicIP { ... }
+      term graphite {
+          from {
+              destination-address {
+                  /* graphite2003 */
+                  2620:0:860:101:10:192:0:102/128;
+                  /* graphite1004 */
+                  2620:0:861:102:10:64:16:149/128;
+              }
+              next-header [ tcp udp ];
+              destination-port 2003;
+          }
+          then accept;
+      }
+      term statsd {
+          from {
+              destination-address {
+                  /* graphite2003 */
+                  2620:0:860:101:10:192:0:102/128;
+                  /* graphite1004 */
+                  2620:0:861:102:10:64:16:149/128;
+              }
+              next-header udp;
+              destination-port 8125;
+          }
+          then accept;
+      }
+      term mysql-dbstore {
+          from {
+              destination-address {
+                  /* dbstore1003 */
+                  2620:0:861:101:10:64:0:137/128;
+                  /* dbstore1004 */
+                  2620:0:861:102:10:64:16:26/128;
+                  /* dbstore1005 */
+                  2620:0:861:103:10:64:32:30/128;
+              }
+              next-header tcp;
+              destination-port [ 3311-3320 3350 ];
+          }
+          then accept;
+      }
       term mysql-replica { ... }
[edit firewall family inet6 filter analytics-in6 term mysql-replica from]
-       destination-port [ 3351 3352 ];
+       destination-port 3351-3352;
[edit firewall family inet6 filter analytics-in6]
       term mysql-replica { ... }
+      term mysql-dbproxy {
+          from {
+              destination-address {
+                  /* dbproxy1013 */
+                  2620:0:861:101:10:64:0:135/128;
+                  /* dbproxy1015 */
+                  2620:0:861:102:10:64:16:19/128;
+              }
+              next-header tcp;
+              destination-port 3306;
+          }
+          then accept;
+      }
       term ssh { ... }
[edit firewall family inet6 filter analytics-in6 term ssh from destination-address]
-        /* aluminium, cobalt */
-        2620:0:861:3:208:80:154:80/127;
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
+        /* mwlog2001 */
+        2620:0:860:103:10:192:32:131/128;
         2620:0:861:1:208:80:154:15/128 { ... }
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
         2620:0:861:1:208:80:154:15/128 { ... }
+        /* ms-be1028 */
+        2620:0:861:101:10:64:0:21/128;
+        /* mwlog1001 */
+        2620:0:861:103:10:64:32:175/128;
         2620:0:861:107:10:64:48:95/128 { ... }
[edit firewall family inet6 filter analytics-in6 term rsync-http-https from destination-address]
-        /* aluminium, cobalt */
-        2620:0:861:3:208:80:154:80/127;
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
        2620:0:860:103:10:192:32:136/128 { ... }
!        2620:0:861:101:10:64:0:175/128 { ... }
!        2620:0:861:101:10:64:0:176/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
        2620:0:861:102:10:64:16:37/128 { ... }
!        2620:0:861:102:10:64:16:99/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
        2620:0:861:103:10:64:32:90/128 { ... }
!        2620:0:861:103:10:64:32:106/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
+        /* logstash2033, kafka-main2001 */
+        2620:0:860:101:10:192:0:16/127;
+        /* logstash2004 */
+        2620:0:860:101:10:192:0:111/128;
+        /* logstash2001 */
+        2620:0:860:101:10:192:0:112/128;
+        /* logstash2020 */
+        2620:0:860:101:10:192:0:139/128;
+        /* logstash2023 */
+        2620:0:860:101:10:192:0:153/128;
+        /* logstash2026 */
+        2620:0:860:101:10:192:0:159/128;
         2620:0:860:102:10:192:16:8/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:860:102:10:192:16:8/128 { ... }
+        /* logstash2034 */
+        2620:0:860:102:10:192:16:30/128;
+        /* logstash2005, logstash2006 */
+        2620:0:860:102:10:192:16:92/127;
+        /* logstash2024 */
+        2620:0:860:102:10:192:16:145/128;
+        /* logstash2025 */
+        2620:0:860:102:10:192:16:146/128;
+        /* logstash2027 */
+        2620:0:860:102:10:192:16:150/128;
+        /* logstash2021 */
+        2620:0:860:102:10:192:16:169/128;
+        /* logstash2035 */
+        2620:0:860:103:10:192:32:28/128;
         2620:0:860:103:10:192:32:136/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:860:103:10:192:32:136/128 { ... }
+        /* logstash2022 */
+        2620:0:860:103:10:192:32:150/128;
+        /* logstash2002 */
+        2620:0:860:103:10:192:32:180/128;
+        /* logstash2028 */
+        2620:0:860:103:10:192:32:189/128;
+        /* kafka-main2004 */
+        2620:0:860:104:10:192:48:38/128;
+        /* kafka-main2005 */
+        2620:0:860:104:10:192:48:46/128;
+        /* logstash2003 */
+        2620:0:860:104:10:192:48:131/128;
+        /* logstash2030 */
+        2620:0:860:104:10:192:48:136/128;
+        /* logstash2029 */
+        2620:0:860:104:10:192:48:140/128;
+        /* logstash2031 */
+        2620:0:860:104:10:192:48:158/128;
+        /* logstash1020 */
+        2620:0:861:101:10:64:0:11/128;
+        /* logstash1007 */
+        2620:0:861:101:10:64:0:37/128;
+        /* logstash1033 */
+        2620:0:861:101:10:64:0:87/128;
+        /* logstash1008 */
+        2620:0:861:101:10:64:0:90/128;
         2620:0:861:101:10:64:0:175/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:101:10:64:0:176/128 { ... }
+        /* logstash1010 */
+        2620:0:861:101:10:64:0:181/128;
+        /* logstash1023 */
+        2620:0:861:101:10:64:0:183/128;
+        /* logstash1024 */
+        2620:0:861:101:10:64:0:184/128;
+        /* logstash1026 */
+        2620:0:861:101:10:64:0:197/128;
         2620:0:861:101:10:64:0:200/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:101:10:64:0:200/128 { ... }
+        /* logstash1011 */
+        2620:0:861:102:10:64:16:30/128;
         2620:0:861:102:10:64:16:37/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:102:10:64:16:37/128 { ... }
+        /* logstash1021 */
+        2620:0:861:102:10:64:16:41/128;
         2620:0:861:102:10:64:16:99/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:102:10:64:16:99/128 { ... }
+        /* logstash1032 */
+        2620:0:861:102:10:64:16:143/128;
+        /* logstash1027 */
+        2620:0:861:102:10:64:16:169/128;
+        /* logstash1009 */
+        2620:0:861:103:10:64:32:27/128;
         2620:0:861:103:10:64:32:90/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:103:10:64:32:90/128 { ... }
+        /* logstash1025 */
+        2620:0:861:103:10:64:32:96/128;
+        /* logstash1028 */
+        2620:0:861:103:10:64:32:104/128;
         2620:0:861:103:10:64:32:106/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:103:10:64:32:106/128 { ... }
+        /* logstash1034 */
+        2620:0:861:103:10:64:32:112/128;
+        /* logstash1022 */
+        2620:0:861:103:10:64:32:127/128;
         2620:0:861:103:10:64:32:159/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:103:10:64:32:160/128 { ... }
+        /* logstash1030 */
+        2620:0:861:107:10:64:48:22/128;
+        /* logstash1031 */
+        2620:0:861:107:10:64:48:25/128;
+        /* kafka-main1004, kafka-main1005 */
+        2620:0:861:107:10:64:48:30/127;
+        /* logstash1035 */
+        2620:0:861:107:10:64:48:60/128;
         2620:0:861:107:10:64:48:117/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:107:10:64:48:117/128 { ... }
+        /* logstash1029, kafka-jumbo1008 */
+        2620:0:861:107:10:64:48:120/127;
         2620:0:861:107:10:64:48:140/128 { ... }
[edit firewall family inet6 filter analytics-in6 term kafka from destination-address]
         2620:0:861:107:10:64:48:140/128 { ... }
+        /* logstash1012 */
+        2620:0:861:107:10:64:48:177/128;
-        /* kafka-main2001 */
-        2620:0:860:101:10:192:0:17/128;
-        /* kafka-jumbo1008 */
-        2620:0:861:107:10:64:48:121/128;
[edit firewall family inet6 filter analytics-in6 term gerrit from destination-address]
-        /* gerrit.wikimedia.org */
-        2620:0:861:2:208:80:154:137/128;
-        /* gerrit2001 */
-        2620:0:860:4:208:80:153:106/128;
[edit firewall family inet6 filter analytics-in6 term gerrit from]
-       destination-port [ 29418 443 ];
+       destination-port [ 443 29418 ];
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
!        2620:0:860:104:10:192:48:116/128 { ... }
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
+        /* backup2002 */
+        2620:0:860:101:10:192:0:190/128;
+        /* backup2003 */
+        2620:0:860:103:10:192:32:35/128;
         2620:0:860:104:10:192:48:116/128 { ... }
[edit firewall family inet6 filter analytics-in6 term bacula from destination-address]
         2620:0:860:104:10:192:48:116/128 { ... }
+        /* backup1003 */
+        2620:0:861:102:10:64:16:107/128;
+        /* backup1002 */
+        2620:0:861:103:10:64:32:107/128;
         2620:0:861:107:10:64:48:36/128 { ... }
[edit firewall family inet6 filter analytics-in6]
       term bacula { ... }
+      term aqs {
+          from {
+              destination-address {
+                  /* aqs1010 */
+                  2620:0:861:101:10:64:0:40/128;
+                  /* aqs1004 */
+                  2620:0:861:101:10:64:0:107/128;
+                  /* aqs1007 */
+                  2620:0:861:101:10:64:0:199/128;
+                  /* aqs1008 */
+                  2620:0:861:102:10:64:16:14/128;
+                  /* aqs1011 */
+                  2620:0:861:102:10:64:16:201/128;
+                  /* aqs1012 */
+                  2620:0:861:103:10:64:32:16/128;
+                  /* aqs1013 */
+                  2620:0:861:103:10:64:32:136/128;
+                  /* aqs1005 */
+                  2620:0:861:103:10:64:32:138/128;
+                  /* aqs1014, aqs1015 */
+                  2620:0:861:107:10:64:48:62/127;
+                  /* aqs1009 */
+                  2620:0:861:107:10:64:48:119/128;
+                  /* aqs1006 */
+                  2620:0:861:107:10:64:48:146/128;
+              }
+              next-header tcp;
+              destination-port 9042;
+          }
+          then accept;
+      }
+      term wdqs {
+          from {
+              destination-address {
+                  /* wdqs2004 */
+                  2620:0:860:101:10:192:0:20/128;
+                  /* wdqs2003 */
+                  2620:0:860:101:10:192:0:29/128;
+                  /* wdqs2005 */
+                  2620:0:860:102:10:192:16:4/128;
+                  /* wdqs2007 */
+                  2620:0:860:102:10:192:16:156/128;
+                  /* wdqs2007 */
+                  2620:0:860:102:4ed9:8fff:feaf:2d85/128;
+                  /* wdqs2001 */
+                  2620:0:860:103:10:192:32:148/128;
+                  /* wdqs2008 */
+                  2620:0:860:103:10:192:32:194/128;
+                  /* wdqs2008 */
+                  2620:0:860:103:4ed9:8fff:feaf:35df/128;
+                  /* wdqs2002 */
+                  2620:0:860:104:10:192:48:65/128;
+                  /* wdqs2006 */
+                  2620:0:860:104:10:192:48:92/128;
+                  /* wdqs1003 */
+                  2620:0:861:101:10:64:0:14/128;
+                  /* wdqs1004 */
+                  2620:0:861:101:10:64:0:17/128;
+                  /* wdqs1006 */
+                  2620:0:861:101:10:64:0:109/128;
+                  /* wdqs1011 */
+                  2620:0:861:101:10:64:0:203/128;
+                  /* wdqs1007 */
+                  2620:0:861:102:10:64:16:10/128;
+                  /* wdqs1009 */
+                  2620:0:861:102:10:64:16:15/128;
+                  /* wdqs1012 */
+                  2620:0:861:102:10:64:16:170/128;
+                  /* wdqs1010 */
+                  2620:0:861:103:10:64:32:63/128;
+                  /* wdqs1013 */
+                  2620:0:861:103:10:64:32:105/128;
+                  /* wdqs1008 */
+                  2620:0:861:107:10:64:48:24/128;
+                  /* wdqs1005 */
+                  2620:0:861:107:10:64:48:46/128;
+              }
+              next-header tcp;
+              destination-port 8888;
+          }
+          then accept;
+      }
       term icmp6 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
        2620:0:861:101:10:64:0:35/128 { ... }
!        2620:0:861:102:10:64:16:171/128 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
         2620:0:861:102:10:64:16:172/128 { ... }
+        /* druid1001 */
+        2620:0:861:104:10:64:5:101/128;
+        /* druid1002 */
+        2620:0:861:106:10:64:36:102/128;
         2620:0:861:107:10:64:48:171/128 { ... }
[edit firewall family inet6 filter analytics-in6 term druid from destination-address]
         2620:0:861:107:10:64:48:227/128 { ... }
+        /* druid1003 */
+        2620:0:861:108:10:64:53:103/128;
[edit firewall family inet6 filter analytics-in6]
       term druid { ... }
+      /*
+       ** T177821
+       */
+      term syslog {
+          from {
+              destination-address {
+                  /* centrallog2001 */
+                  2620:0:860:104:10:192:48:64/128;
+                  /* centrallog1001 */
+                  2620:0:861:107:10:64:48:113/128;
+              }
+              next-header udp;
+              destination-port 514;
+          }
+          then accept;
+      }
+      /*
+       ** T177821
+       */
+      term syslog-tls {
+          from {
+              destination-address {
+                  /* centrallog2001 */
+                  2620:0:860:104:10:192:48:64/128;
+                  /* centrallog1001 */
+                  2620:0:861:107:10:64:48:113/128;
+              }
+              next-header tcp;
+              destination-port 6514;
+          }
+          then accept;
+      }
+      /*
+       ** T261489
+       */
+      term debmonitor {
+          from {
+              destination-address {
+                  /* debmonitor2002 */
+                  2620:0:860:103:10:192:32:42/128;
+                  /* debmonitor1002 */
+                  2620:0:861:102:10:64:16:72/128;
+              }
+              next-header tcp;
+              destination-port 443;
+          }
+          then accept;
+      }
       term scap { ... }
[edit firewall family inet6 filter analytics-in6 term scap from destination-address]
!        2620:0:860:103:10:192:32:7/128 { ... }
[edit firewall family inet6 filter analytics-in6 term scap from destination-address]
-        /* deploy2001 */
-        2620:0:860:103:10:192:32:24/128;
-        /* deploy1001 */
-        2620:0:861:103:10:64:32:16/128;
[edit firewall family inet6 filter analytics-in6 term kerberos from destination-address]
!        2620:0:860:104:10:192:48:135/128 { ... }
[edit firewall family inet6 filter analytics-in6 term idp from destination-address]
-        /* idp2001.wikimedia.org */
+        /* idp2001 */
         2620:0:860:1:208:80:153:23/128 { ... }
[edit firewall family inet6 filter analytics-in6 term idp from destination-address]
-        /* idp1001.wikimedia.org */
+        /* idp1001 */
         2620:0:861:1:208:80:154:26/128 { ... }

Event Timeline

ayounsi created this task.

There is also a term permitting UDP fragments, I added a "count" to know if/why we're using it.

There is also a term permitting UDP fragments, I added a "count" to know if/why we're using it.

Looks like we're not. I'll remove it as well.

@razzi this is a good task to get started with the firewall rules of our VLAN :)

@razzi from our IRC chat, the way I'd approach it is:

  • for all the removed IPs, check if the host still exist, most of the cases it's just that the host is gone and the ACL never got updated
  • for the changes of ports, check that the new set at least includes the old one, and isn't too broad
  • for added IP:
    • some of them seem straightforward, new AQS hosts in the AQS group, new puppet masters in the puppet group
    • some are less straighforward, logstash hosts in the kafka term, I guess it makes sens if it's there but worth checking if it's ok for them to be there

Ok, for the kafka term, we no longer need any logstash hosts. kafka logging cluster used be colocated on a few logstash hosts, but no longer, they are all on kafka-loggingXXXX. This kafka term minus the logstash hosts looks correct to me.

For the removals, they all look correct to me and razzi. Let's proceed!

Change 698202 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Manage analytics-in4/6 with Capirca

https://gerrit.wikimedia.org/r/698202

Mentioned in SAL (#wikimedia-operations) [2021-06-22T14:01:39Z] <XioNoX> start updating analytics firewall rules to capirca generated ones on cr1-eqiad - T279429

Mentioned in SAL (#wikimedia-analytics) [2021-06-22T14:12:19Z] <XioNoX> start updating analytics firewall rules to capirca generated ones on cr1-eqiad - T279429

Mentioned in SAL (#wikimedia-analytics) [2021-06-22T14:28:40Z] <XioNoX> remove decom hosts from the analytics firewall filter on cr1-eqiad - T279429

Mentioned in SAL (#wikimedia-operations) [2021-06-22T14:37:25Z] <XioNoX> start updating analytics firewall rules to capirca generated ones on cr2-eqiad - T279429

Mentioned in SAL (#wikimedia-analytics) [2021-06-22T14:37:33Z] <XioNoX> start updating analytics firewall rules to capirca generated ones on cr2-eqiad - T279429

Mentioned in SAL (#wikimedia-analytics) [2021-06-22T14:46:34Z] <XioNoX> remove decom hosts from the analytics firewall filter on cr2-eqiad - T279429

Change 698202 merged by jenkins-bot:

[operations/homer/public@master] Manage analytics-in4/6 with Capirca

https://gerrit.wikimedia.org/r/698202