Matanya has uploaded a new change for review. https://gerrit.wikimedia.org/r/117674
Change subject: icinga: replace iptable with ferm rules ...................................................................... icinga: replace iptable with ferm rules Change-Id: Iaef6d1e5ed1c26df6ae54ef2a88b2108848582b3 --- M manifests/misc/icinga.pp 1 file changed, 25 insertions(+), 44 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/74/117674/1 diff --git a/manifests/misc/icinga.pp b/manifests/misc/icinga.pp index a155f43..e9d5ba2 100644 --- a/manifests/misc/icinga.pp +++ b/manifests/misc/icinga.pp @@ -607,55 +607,36 @@ } - class icinga::monitor::firewall { - # deny access to port 5667 TCP (nsca) from external networks - # deny service snmp-trap (port 162) for external networks + $localhost_all = '127.0.0.1', + $private_pmtpa_nolabs = '10.0.0.0/14', + $private_esams = '10.21.0.0/24', + $private_eqiad1 = '10.64.0.0/17', + $private_eqiad2 = '10.65.0.0/20', + $private_ulsfo = '10.128.0.0/17', + $private_virt = '10.4.16.0/24', + $public_152 = '208.80.152.0/24', + $public_153 = '208.80.153.128/26', + $public_154 = '208.80.154.0/24', + $public_fundraising = '208.80.155.0/27', + $public_esams = '91.198.174.0/25', + $public_ulsfo = '198.35.26.0/23', - class iptables-purges { + #ncsa on port 5667 + ferm::rule { 'ncsa_allowed': + rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams $private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 $public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto tcp dport 5667 ACCEPT'; + } - require 'iptables::tables' - iptables_purge_service{ 'deny_pub_snmptrap': service => 'snmptrap' } - iptables_purge_service{ 'deny_pub_nsca': service => 'nsca' } - } + #snmptrap on port 162 + ferm::rule { 'snmptrap_allowed': + rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams $private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 $public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto tcp dport 162 ACCEPT'; + } - class iptables-accepts { - - require 'icinga::monitor::firewall::iptables-purges' - - iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_pmtpa_nolabs': source => '10.0.0.0/14', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_esams': source => '10.21.0.0/24', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_eqiad1': source => '10.64.0.0/17', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_eqiad2': source => '10.65.0.0/20', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_ulsfo': source => '10.128.0.0/17', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'private_virt': source => '10.4.16.0/24', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_152': source => '208.80.152.0/24', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_153': source => '208.80.153.128/26', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_154': source => '208.80.154.0/24', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_fundraising': source => '208.80.155.0/27', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_esams': source => '91.198.174.0/25', service => 'all', jump => 'ACCEPT' } - iptables_add_service{ 'public_ulsfo': source => '198.35.26.0/23', service => 'all', jump => 'ACCEPT'} - } - - class iptables-drops { - - require 'icinga::monitor::firewall::iptables-accepts' - iptables_add_service{ 'deny_pub_nsca': service => 'nsca', jump => 'DROP' } - iptables_add_service{ 'deny_pub_snmptrap': service => 'snmptrap', jump => 'DROP' } - iptables_add_service{ 'TEMP_deny_smtp': service => 'smtp', jump => 'DROP' } - } - - class iptables { - - require 'icinga::monitor::firewall::iptables-drops' - iptables_add_exec{ "${hostname}_nsca": service => 'nsca' } - iptables_add_exec{ "${hostname}_snmptrap": service => 'snmptrap' } - } - - require 'icinga::monitor::firewall::iptables' + #snmp on port 161 + ferm::rule { 'snmp_allowed': + rule => 'saddr ($localhost_all $private_pmtpa_nolabs $private_esams $private_eqiad1 $private_eqiad2 $private_ulsfo $private_virt $public_152 $public_153 $public_154 $public_fundraising $public_esams $public_ulsfo ) proto tcp dport 161 ACCEPT'; + } } class icinga::monitor::jobqueue { -- To view, visit https://gerrit.wikimedia.org/r/117674 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaef6d1e5ed1c26df6ae54ef2a88b2108848582b3 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits