[MediaWiki-commits] [Gerrit] icinga: replace iptable with ferm rules - change (operations/puppet)

Matanya (Code Review) Sun, 09 Mar 2014 06:15:07 -0700

Matanya has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/117674


Change subject: icinga: replace iptable with ferm rules
......................................................................

icinga: replace iptable with ferm rules

Change-Id: Iaef6d1e5ed1c26df6ae54ef2a88b2108848582b3
---
M manifests/misc/icinga.pp
1 file changed, 25 insertions(+), 44 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/74/117674/1

diff --git a/manifests/misc/icinga.pp b/manifests/misc/icinga.pp
index a155f43..e9d5ba2 100644
--- a/manifests/misc/icinga.pp
+++ b/manifests/misc/icinga.pp
@@ -607,55 +607,36 @@
 
 }
 
-
 class icinga::monitor::firewall {
 
-  # deny access to port 5667 TCP (nsca) from external networks
-  # deny service snmp-trap (port 162) for external networks
+    $localhost_all         = '127.0.0.1',
+    $private_pmtpa_nolabs  = '10.0.0.0/14',
+    $private_esams         = '10.21.0.0/24',
+    $private_eqiad1        = '10.64.0.0/17',
+    $private_eqiad2        = '10.65.0.0/20',
+    $private_ulsfo         = '10.128.0.0/17',
+    $private_virt          = '10.4.16.0/24',
+    $public_152            = '208.80.152.0/24',
+    $public_153            = '208.80.153.128/26',
+    $public_154            = '208.80.154.0/24',
+    $public_fundraising    = '208.80.155.0/27',
+    $public_esams          = '91.198.174.0/25',
+    $public_ulsfo          = '198.35.26.0/23',
 
-  class iptables-purges {
+    #ncsa on port 5667
+    ferm::rule { 'ncsa_allowed':
+        rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams 
$private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 
$public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto 
tcp dport 5667 ACCEPT';
+    }
 
-    require 'iptables::tables'
-    iptables_purge_service{  'deny_pub_snmptrap': service => 'snmptrap' }
-    iptables_purge_service{  'deny_pub_nsca': service => 'nsca' }
-  }
+    #snmptrap on port 162
+    ferm::rule { 'snmptrap_allowed':
+        rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams 
$private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 
$public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto 
tcp dport 162 ACCEPT';
+    }
 
-  class iptables-accepts {
-
-    require 'icinga::monitor::firewall::iptables-purges'
-
-    iptables_add_service{ 'lo_all': interface            => 'lo', service      
          => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'localhost_all': source        => '127.0.0.1', 
service         => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_pmtpa_nolabs': source => '10.0.0.0/14', 
service       => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_esams': source        => '10.21.0.0/24', 
service      => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_eqiad1': source       => '10.64.0.0/17', 
service      => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_eqiad2': source       => '10.65.0.0/20', 
service      => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_ulsfo': source        => '10.128.0.0/17', 
service     => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'private_virt': source         => '10.4.16.0/24', 
service      => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_152': source           => '208.80.152.0/24', 
service   => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_153': source           => 
'208.80.153.128/26', service => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_154': source           => '208.80.154.0/24', 
service   => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_fundraising': source   => '208.80.155.0/27', 
service   => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_esams': source         => '91.198.174.0/25', 
service   => 'all', jump => 'ACCEPT' }
-    iptables_add_service{ 'public_ulsfo': source         => '198.35.26.0/23', 
service    => 'all', jump => 'ACCEPT'}
-  }
-
-  class iptables-drops {
-
-    require 'icinga::monitor::firewall::iptables-accepts'
-    iptables_add_service{ 'deny_pub_nsca': service => 'nsca', jump => 'DROP' }
-    iptables_add_service{ 'deny_pub_snmptrap': service => 'snmptrap', jump => 
'DROP' }
-    iptables_add_service{ 'TEMP_deny_smtp': service => 'smtp', jump => 'DROP' }
-  }
-
-  class iptables {
-
-    require 'icinga::monitor::firewall::iptables-drops'
-    iptables_add_exec{ "${hostname}_nsca": service => 'nsca' }
-    iptables_add_exec{ "${hostname}_snmptrap": service => 'snmptrap' }
-  }
-
-  require 'icinga::monitor::firewall::iptables'
+    #snmp on port 161
+    ferm::rule { 'snmp_allowed':
+        rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams 
$private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 
$public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto 
tcp dport 161 ACCEPT';
+    }
 }
 
 class icinga::monitor::jobqueue {

-- 
To view, visit https://gerrit.wikimedia.org/r/117674
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaef6d1e5ed1c26df6ae54ef2a88b2108848582b3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] icinga: replace iptable with ferm rules - change (operations/puppet)

Reply via email to