All existing ferm services without an explicit srange should be reviewed, whether they can be restricted further. Also, it's worth considering to make unrestricted access explicit with e.g. "srange => '$PUBLIC'" on the puppet level (the ferm config on the hosts would not be changed).
Description
Description
Details
Details
Related Objects
Related Objects
Event Timeline
Comment Actions
Change 591000 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] tlsproxy::envoy: allow limiting firewall srange
Comment Actions
Change 591000 merged by Dzahn:
[operations/puppet@production] tlsproxy::envoy: allow limiting firewall srange
Comment Actions
This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!
For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)
Comment Actions
Change 632443 had a related patch set uploaded (by Effie Mouzeli; owner: Effie Mouzeli):
[operations/puppet@production] memcached: refactor rules
Comment Actions
Change 632443 merged by Effie Mouzeli:
[operations/puppet@production] memcached: refactor rules
Comment Actions
ferm services without srange:
category A, those that seem obviously public but are not made explicit as this ticket suggests:
modules/role/manifests/bastionhost.pp: ferm::service { 'ssh':
modules/profile/manifests/mw_rc_irc.pp: ferm::service { 'ircd_public':
modules/profile/manifests/mail/mx.pp: ferm::service { 'exim-smtp':
modules/profile/manifests/dumps/distribution/web.pp: ferm::service { 'xmldumps_http':
modules/profile/manifests/dumps/distribution/web.pp: ferm::service { 'xmldumps_https':
modules/profile/manifests/aptrepo/wikimedia.pp: ferm::service { 'aptrepos_public_http':
modules/profile/manifests/librenms.pp: ferm::service { 'librenms-http':
modules/profile/manifests/librenms.pp: ferm::service { 'librenms-https':
modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-http-certbot':
modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-https-public':
modules/profile/manifests/gitlab.pp: ferm::service { 'gitlab-ssh-public':
modules/profile/manifests/durum.pp: ferm::service { 'durum-https':
modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-smtp':
modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-http':
modules/profile/manifests/lists/ferm.pp: ferm::service { 'mailman-https':
modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_ssh_users':
modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_http':
modules/profile/manifests/gerrit.pp: ferm::service { 'gerrit_https':Should we still add the PUBLIC srange to all of those to make it obvious?
category B, those were it's not obvious to me:
modules/service/manifests/node.pp: ferm::service { $title:
modules/pontoon/manifests/lb.pp: ferm::service { 'pontoon-lb-dns':
modules/profile/manifests/netconsole/server.pp: ferm::service { 'netconsole-server':
modules/profile/manifests/archiva.pp: ferm::service { 'archiva_rsync':
modules/profile/manifests/maps/tlsproxy.pp: ferm::service { 'maps-proxy-https':
modules/profile/manifests/proxysql.pp: #ferm::service { 'proxysql_mysql':
modules/profile/manifests/eventschemas/service.pp: ferm::service { 'eventschemas_service_http':
modules/profile/manifests/netbox.pp: ferm::service { 'netbox_https':
modules/profile/manifests/pontoon/lb.pp: ferm::service { "pontoon-lb-${p}":
modules/profile/manifests/redis/slave.pp: ferm::service { 'redis_slave_role':
modules/profile/manifests/librenms.pp: ferm::service { 'librenms-rsyslog':