Dzahn has uploaded a new change for review. https://gerrit.wikimedia.org/r/88755
Change subject: add networks to ferm,convert icinga iptables to ferm ...................................................................... add networks to ferm,convert icinga iptables to ferm - attempt to convert iptables on neon (icinga) that deny access to NSCA and snmp-trap from external networks to ferm - for that, first add all the networks as variables into ferm config Change-Id: I6f1ab6751fa02af4513fae2012d278784a80259a --- M manifests/misc/icinga.pp M modules/base/files/firewall/defs.production 2 files changed, 65 insertions(+), 5 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/55/88755/1 diff --git a/manifests/misc/icinga.pp b/manifests/misc/icinga.pp index 498e793..f543d47 100644 --- a/manifests/misc/icinga.pp +++ b/manifests/misc/icinga.pp @@ -614,11 +614,14 @@ class icinga::monitor::firewall { - # deny access to port 5667 TCP (nsca) from external networks - # deny service snmp-trap (port 162) for external networks + include base::firewall - class iptables-purges { + # deny access to port 5667 TCP (nsca) from external networks + ferm::rule { 'nsca_5667': + rule => 'proto tcp dport 5667 { saddr $WMF_ALL ACCEPT; DROP; }' + } +<<<<<<< HEAD require 'iptables::tables' iptables_purge_service{ 'deny_pub_snmptrap': service => 'snmptrap' } iptables_purge_service{ 'deny_pub_nsca': service => 'nsca' } @@ -656,8 +659,13 @@ iptables_add_exec{ "${hostname}_nsca": service => 'nsca' } iptables_add_exec{ "${hostname}_snmptrap": service => 'snmptrap' } } +======= + # deny access to port 162 TCP (snmp-trap) from external networks + ferm::rule { 'snmp-trap_162': + rule => 'proto tcp dport 162 { saddr $WMF_ALL ACCEPT; DROP; }' + } +>>>>>>> 3be4d41... add networks to ferm,convert neon iptables to ferm - require 'icinga::monitor::firewall::iptables' } class icinga::monitor::jobqueue { diff --git a/modules/base/files/firewall/defs.production b/modules/base/files/firewall/defs.production index 1e2a8ca..6c17c0e 100644 --- a/modules/base/files/firewall/defs.production +++ b/modules/base/files/firewall/defs.production @@ -4,4 +4,56 @@ @def $INTERNAL_V4 = (10.0.0.0/8); @def $INTERNAL_V6 = (2620:0:100::/56); -@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6); \ No newline at end of file +@def $INTERNAL = ($INTERNAL_V4 $INTERNAL_V6); + +@def @LOOPBACK_V4 = (127.0.0.0/8); +@def @LOOPBACK_V6 = (0:0:0:0:0:0:0:1/128); +@def @LOOPBACK = ($LOOPBACK_V4 $LOOPBACK_V6); + +@def $PRIVATE_PMTPA = (10.0.0.0/12); +@def $PRIVATE_PMTPA_NOLABS = (10.0.0.0/14); + +@def $PRIVATE_ESAMS = (10.21.0.0/24); + +@def $PRIVATE_EQIAD = (10.64.0.0/12); + +@def $PRIVATE_ANALYTICS_B_EQIAD = (10.64.21.0/24); +@def $PRIVATE_ANALYTICS_C_EQIAD = (10.64.36.0/24); +@def $PRIVATE_ANALYTICS_EQIAD = ($PRIVATE_ANALYTICS_B_EQIAD $PRIVATE_ANALYTICS_C_EQIAD); + +@def $PRIVATE_ULSFO = (10.128.0.0/24); + +@def $PRIVATE_FRACK = (10.64.40.0/23); + +@def $PRIVATE_LABS_HOST_A_EQIAD = (10.64.4.0/24); +@def $PRIVATE_LABS_HOST_B_EQIAD = (10.64.20.0/24); +@def $PRIVATE_LABS_HOST_C_EQIAD = (10.64.37.0/24); +@def $PRIVATE_LABS_HOST_D_EQIAD = (10.64.52.0/24); +@def $PRIVATE_LABS_HOST_EQIAD = ($PRIVATE_LABS_HOST_A_EQIAD $PRIVATE_LABS_HOST_B_EQIAD $PRIVATE_LABS_HOST_C_EQIAD $PRIVATE_LABS_HOST_D_EQIAD); + +@def $PRIVATE_LABS_INST_A_EQIAD = (10.68.0.0/24); +@def $PRIVATE_LABS_INST_B_EQIAD = (10.68.16.0/24); +@def $PRIVATE_LABS_INST_C_EQIAD = (10.68.32.0/24); +@def $PRIVATE_LABS_INST_D_EQIAD = (10.68.48.0/24); +@def $PRIVATE_LABS_INST_EQIAD = ($PRIVATE_LABS_INST_A_EQIAD $PRIVATE_LABS_INST_B_EQIAD $PRIVATE_LABS_INST_C_EQIAD $PRIVATE_LABS_INST_D_EQIAD); + +@def $PRIVATE_LABS = ($PRIVATE_LABS_HOST_EQIAD $PRIVATE_LABS_INST_EQIAD); + +@def $PRIVATE_VIRT = (10.4.16.0/24); + +@def $PRIVATE_ALL = ($PRIVATE_PMTPA $PRIVATE_ESAMS $PRIVATE_EQIAD $PRIVATE_ULSFO); + +@def @PUBLIC_VIRT1 = (208.80.153.64/26); +@def @PUBLIC_VIRT2 = (208.80.153.128/25); +@def @PUBLIC_VIRT = ($PUBLIC_VIRT1 $PUBLIC_VIRT2); + +@def $PUBLIC_PMTPA = (208.80.152.0/24); +@def $PUBLIC_EQIAD = (208.80.154.0/24); +@def $PUBLIC_ESAMS = (91.198.174.0/25); +@def $PUBLIC_ULSFO = (198.35.26.0/28); + +@def $PUBLIC_ALL = ($PUBLIC_PMTPA $PUBLIC_EQIAD $PUBLIC_ESAMS $PUBLIC_ULSFO); + +@def $PUBLIC_FUNDRAISING = (208.80.155.0/27); + +@def $WMF_ALL = ($PUBLIC_ALL $PRIVATE_ALL); -- To view, visit https://gerrit.wikimedia.org/r/88755 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6f1ab6751fa02af4513fae2012d278784a80259a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits