All existing ferm services without an explicit srange should be reviewed, whether they can be restricted further. Also, it's worth considering to make unrestricted access explicit with e.g. "srange => '$PUBLIC'" on the puppet level (the ferm config on the hosts would not be changed).
Description
Details
Related Objects
Event Timeline
Change 591000 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] tlsproxy::envoy: allow limiting firewall srange
Change 591000 merged by Dzahn:
[operations/puppet@production] tlsproxy::envoy: allow limiting firewall srange
This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!
For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)
Change 632443 had a related patch set uploaded (by Effie Mouzeli; owner: Effie Mouzeli):
[operations/puppet@production] memcached: refactor rules
Change 632443 merged by Effie Mouzeli:
[operations/puppet@production] memcached: refactor rules
ferm services without srange:
category A, those that seem obviously public but are not made explicit as this ticket suggests:
modules/role/manifests/bastionhost.pp: ferm::service { 'ssh': modules/profile/manifests/mw_rc_irc.pp: ferm::service { 'ircd_public': modules/profile/manifests/mail/mx.pp: ferm::service { 'exim-smtp': modules/profile/manifests/dumps/distribution/web.pp: ferm::service { 'xmldumps_http': modules/profile/manifests/dumps/distribution/web.pp: ferm::service { 'xmldumps_https': modules/profile/manifests/aptrepo/wikimedia.pp: ferm::service { 'aptrepos_public_http': modules/profile/manifests/librenms.pp: ferm::service { 'librenms-http': modules/profile/manifests/librenms.pp: ferm::service { 'librenms-https': modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-http-certbot': modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-https-public': modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-ssh-public': modules/profile/manifests/durum.pp: ferm::service { 'durum-https': modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-smtp': modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-http': modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-https': modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_ssh_users': modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_http': modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_https':
Should we still add the PUBLIC srange to all of those to make it obvious?
category B, those were it's not obvious to me:
modules/service/manifests/node.pp: ferm::service { $title: modules/pontoon/manifests/lb.pp: ferm::service { 'pontoon-lb-dns': modules/profile/manifests/netconsole/server.pp: ferm::service { 'netconsole-server': modules/profile/manifests/archiva.pp: ferm::service { 'archiva_rsync': modules/profile/manifests/maps/tlsproxy.pp: ferm::service { 'maps-proxy-https': modules/profile/manifests/proxysql.pp: #ferm::service { 'proxysql_mysql': modules/profile/manifests/eventschemas/service.pp: ferm::service { 'eventschemas_service_http': modules/profile/manifests/netbox.pp: ferm::service { 'netbox_https': modules/profile/manifests/pontoon/lb.pp: ferm::service { "pontoon-lb-${p}": modules/profile/manifests/redis/slave.pp: ferm::service { 'redis_slave_role': modules/profile/manifests/librenms.pp: ferm::service { 'librenms-rsyslog':