Page MenuHomePhabricator

Determine firewall and listening ports strategy for Elastic hosts
Closed, DeclinedPublic3 Estimated Story Points


While working through T271143 , we noticed that there are some inconsistencies between IPv4 and IPv6 on elastic hosts.

For example, we expose the IPv6 cleartext port (9200) in ferm/ip6tables, but there are no listening processes.

Opening this ticket so we can agree on what ports should be listening where, and achieve coherence between our firewall rules and listening ports.

Event Timeline

For the record, I think we should stop exposing the cleartext ports entirely and force external consumers to go thru LVS, which uses the TLS ports.

But before we do that, I will definitely need some help from my team to identify stakeholders who would be disrupted by such a change.

MPhamWMF set the point value for this task to 3.Jun 6 2022, 3:46 PM

We have not had the time to finish this off, and because the current rules are already restricting most of the traffic, we will close this out.

We can make a similar ticket again when we have time.

bking triaged this task as Lowest priority.