Alexandros Kosiaris has submitted this change and it was merged.
Change subject: let bastion hosts have base::firewall
......................................................................
let bastion hosts have base::firewall
Let all bastion hosts include base::firewall. Bastions should be
especially hardened. So let's get the default drop policy.
This patch has been waiting for quite a while because in the past we
wanted to wait for fenari to be gone and were worried about other
services on bastion hosts being blocked by the default drop policy.
Meanwhile fenari is gone, missing hosts have been added to this role
and we have added more firewall holes in role classes.
This was originally made to be able to include nrpe.
You could also say all bastion hosts should have nrpe and move this
over here as well.
Change-Id: I6a7e07c416ef3464add2af67117b8d42a2ece62b
---
M manifests/role/bastionhost.pp
1 file changed, 1 insertion(+), 0 deletions(-)
Approvals:
Filippo Giunchedi: Looks good to me, but someone else must approve
Alexandros Kosiaris: Verified; Looks good to me, approved
jenkins-bot: Verified
Dzahn: Looks good to me, but someone else must approve
diff --git a/manifests/role/bastionhost.pp b/manifests/role/bastionhost.pp
index 65aaac0..55e82ee 100644
--- a/manifests/role/bastionhost.pp
+++ b/manifests/role/bastionhost.pp
@@ -5,6 +5,7 @@
}
include ::bastionhost
+ include base::firewall
ferm::service { 'ssh':
desc => 'SSH open from everywhere, this is a bastion host',
--
To view, visit https://gerrit.wikimedia.org/r/96424
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6a7e07c416ef3464add2af67117b8d42a2ece62b
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: John F. Lewis <[email protected]>
Gerrit-Reviewer: Matanya <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
