[MediaWiki-commits] [Gerrit] add networks to ferm, convert icinga iptables to ferm - change (operations/puppet)

[Dzahn (Code Review)]

Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/88755


Change subject: add networks to ferm,convert icinga iptables to ferm
......................................................................

add networks to ferm,convert icinga iptables to ferm

- attempt to convert iptables on neon (icinga) that deny
  access to NSCA and snmp-trap from external networks to ferm

- for that, first add all the networks as variables into ferm config

Change-Id: I6f1ab6751fa02af4513fae2012d278784a80259a
---
M manifests/misc/icinga.pp
M modules/base/files/firewall/defs.production
2 files changed, 65 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/55/88755/1

diff --git a/manifests/misc/icinga.pp b/manifests/misc/icinga.pp
index 498e793..f543d47 100644
--- a/manifests/misc/icinga.pp
+++ b/manifests/misc/icinga.pp
@@ -614,11 +614,14 @@
 
 class icinga::monitor::firewall {
 
-  # deny access to port 5667 TCP (nsca) from external networks
-  # deny service snmp-trap (port 162) for external networks
+       include base::firewall
 
-  class iptables-purges {
+    # deny access to port 5667 TCP (nsca) from external networks
+       ferm::rule { 'nsca_5667':
+               rule => 'proto tcp dport 5667 { saddr $WMF_ALL ACCEPT; DROP; }'
+       }
 
+<<<<<<< HEAD
     require 'iptables::tables'
     iptables_purge_service{  'deny_pub_snmptrap': service => 'snmptrap' }
     iptables_purge_service{  'deny_pub_nsca': service => 'nsca' }
@@ -656,8 +659,13 @@
     iptables_add_exec{ "${hostname}_nsca": service => 'nsca' }
     iptables_add_exec{ "${hostname}_snmptrap": service => 'snmptrap' }
   }
+=======
+    # deny access to port 162 TCP (snmp-trap) from external networks
+       ferm::rule { 'snmp-trap_162':
+               rule => 'proto tcp dport 162 { saddr $WMF_ALL ACCEPT; DROP; }'
+       }
+>>>>>>> 3be4d41... add networks to ferm,convert neon iptables to ferm
 
-  require 'icinga::monitor::firewall::iptables'
 }
 
 class icinga::monitor::jobqueue {
diff --git a/modules/base/files/firewall/defs.production 
b/modules/base/files/firewall/defs.production
index 1e2a8ca..6c17c0e 100644
--- a/modules/base/files/firewall/defs.production
+++ b/modules/base/files/firewall/defs.production
@@ -4,4 +4,56 @@
 
 @def $INTERNAL_V4 = (10.0.0.0/8);
 @def $INTERNAL_V6 = (2620:0:100::/56);
-@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
\ No newline at end of file
+@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6);
+
+@def @LOOPBACK_V4 = (127.0.0.0/8);
+@def @LOOPBACK_V6 = (0:0:0:0:0:0:0:1/128);
+@def @LOOPBACK = ($LOOPBACK_V4 $LOOPBACK_V6);
+
+@def $PRIVATE_PMTPA = (10.0.0.0/12);
+@def $PRIVATE_PMTPA_NOLABS = (10.0.0.0/14);
+
+@def $PRIVATE_ESAMS = (10.21.0.0/24);
+
+@def $PRIVATE_EQIAD = (10.64.0.0/12);
+
+@def $PRIVATE_ANALYTICS_B_EQIAD = (10.64.21.0/24);
+@def $PRIVATE_ANALYTICS_C_EQIAD = (10.64.36.0/24);
+@def $PRIVATE_ANALYTICS_EQIAD = ($PRIVATE_ANALYTICS_B_EQIAD 
$PRIVATE_ANALYTICS_C_EQIAD);
+
+@def $PRIVATE_ULSFO = (10.128.0.0/24);
+
+@def $PRIVATE_FRACK = (10.64.40.0/23);
+
+@def $PRIVATE_LABS_HOST_A_EQIAD = (10.64.4.0/24);
+@def $PRIVATE_LABS_HOST_B_EQIAD = (10.64.20.0/24);
+@def $PRIVATE_LABS_HOST_C_EQIAD = (10.64.37.0/24);
+@def $PRIVATE_LABS_HOST_D_EQIAD = (10.64.52.0/24);
+@def $PRIVATE_LABS_HOST_EQIAD = ($PRIVATE_LABS_HOST_A_EQIAD 
$PRIVATE_LABS_HOST_B_EQIAD $PRIVATE_LABS_HOST_C_EQIAD 
$PRIVATE_LABS_HOST_D_EQIAD);
+
+@def $PRIVATE_LABS_INST_A_EQIAD = (10.68.0.0/24);
+@def $PRIVATE_LABS_INST_B_EQIAD = (10.68.16.0/24);
+@def $PRIVATE_LABS_INST_C_EQIAD = (10.68.32.0/24);
+@def $PRIVATE_LABS_INST_D_EQIAD = (10.68.48.0/24);
+@def $PRIVATE_LABS_INST_EQIAD = ($PRIVATE_LABS_INST_A_EQIAD 
$PRIVATE_LABS_INST_B_EQIAD $PRIVATE_LABS_INST_C_EQIAD 
$PRIVATE_LABS_INST_D_EQIAD);
+
+@def $PRIVATE_LABS = ($PRIVATE_LABS_HOST_EQIAD $PRIVATE_LABS_INST_EQIAD);
+
+@def $PRIVATE_VIRT = (10.4.16.0/24);
+
+@def $PRIVATE_ALL = ($PRIVATE_PMTPA $PRIVATE_ESAMS $PRIVATE_EQIAD 
$PRIVATE_ULSFO);
+
+@def @PUBLIC_VIRT1 = (208.80.153.64/26);
+@def @PUBLIC_VIRT2 = (208.80.153.128/25);
+@def @PUBLIC_VIRT = ($PUBLIC_VIRT1 $PUBLIC_VIRT2);
+
+@def $PUBLIC_PMTPA = (208.80.152.0/24);
+@def $PUBLIC_EQIAD = (208.80.154.0/24);
+@def $PUBLIC_ESAMS = (91.198.174.0/25);
+@def $PUBLIC_ULSFO = (198.35.26.0/28);
+
+@def $PUBLIC_ALL = ($PUBLIC_PMTPA $PUBLIC_EQIAD $PUBLIC_ESAMS $PUBLIC_ULSFO);
+
+@def $PUBLIC_FUNDRAISING = (208.80.155.0/27);
+
+@def $WMF_ALL = ($PUBLIC_ALL $PRIVATE_ALL);

-- 
To view, visit https://gerrit.wikimedia.org/r/88755
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6f1ab6751fa02af4513fae2012d278784a80259a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits