Closed
Bug 1007661
Opened 11 years ago
Closed 11 years ago
Give jezdez SSH access to developeradm.private.scl3.mozilla.com
Categories
(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)
Infrastructure & Operations Graveyard
NetOps: DC ACL Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jezdez, Assigned: dcurado)
Details
For some reason I can't access developeradm.private.scl3.mozilla.com via SSH while HTTP works. Is there any good reason I can't?
|
||
Updated•11 years ago
|
Assignee: server-ops-webops → network-operations
Component: WebOps: Community Platform → NetOps: DC ACL Request
QA Contact: nmaul → jbarnell
|
Assignee | |
Updated•11 years ago
|
Assignee: network-operations → dcurado
|
|
Assignee | |
Comment 1•11 years ago
|
||
Hi Jannis -- when you are trying to ssh to developeradm.private.scl3.mozilla.com, where are you
trying from?
Once I know that, hopefully I can fix this quickly.
Thanks -- Dave
Status: NEW → ASSIGNED
Flags: needinfo?(jezdez)
|
|
Reporter | |
Comment 2•11 years ago
|
||
:dcurado I tried it yesterday from the Mozilla office in Berlin, while being connected to the global Mozilla VPN. I just tried again from my home office and it didn't work either.
Flags: needinfo?(jezdez) → needinfo?(dcurado)
|
|
Assignee | |
Comment 3•11 years ago
|
||
Hmm, checking the global Mozilla VPN first, I am confused by what I see.
developeradm.private.scl3.mozilla.com has address 10.22.75.51 and is in the "private"
security zone. The global VPN IP addresses are in the "corpdmz" security zone.
There is a security policy that says, "let anything from the corporate VPN IP space
get to *anything* in the "private" security zone. So, you should be able to get
to the ssh port of this server.
Two questions -- and I'm sorry I'm asking you to go through another iteration of
question and answer here -- it is only because this should already work.
So question 1 -- When you connect to the global VPN, are you getting an IP address
in the 10.22.248-255.x range?
Question 2 -- is there any chance there are ip filters on the host machine that would
prevent you getting to its ssh port?
Thanks for your help with this.
I'll check on the Berlin office address space now.
Flags: needinfo?(dcurado)
|
|
Assignee | |
Comment 4•11 years ago
|
||
Huh. More confusion. I don't know how you're even getting to port 80 on 10.22.75.51
The only thing we have a security policy for that allows that is from
an SSL gateway in SCL1 (ssl1.dmz.sjc1 10.2.74.138/32).
port 80 and port 22 are allowed to 10.22.75.51 from another vpn address in SCL1,
cm-vpn01 (10.2.72.11/32).
I can certainly create policies that allow the global vpn and the Berlin office to
access ssh on this host, but that means opening up all the VPN IPs and all
the Berlin office to this host. Let me ask the secops team if they approve?
Flags: needinfo?(jezdez)
|
|
Assignee | |
Updated•11 years ago
|
Flags: sec-review?
|
|
||
Updated•11 years ago
|
Flags: sec-review? → sec-review?(jstevensen)
|
|
Reporter | |
Comment 5•11 years ago
|
||
I appreciate your efforts, :dcurado!
question 1) I just got 10.22.248.182. But from *outside* the Berlin office, as I'm mostly working from home or other coworking spaces. I was under the impression that the global VPN would allow me to ask to access the servers that are needed for doing my work. AFAIK others in my group (MDN) *are* able to access the server via SSH (e.g. :groovecoder).
question 2) I don't know anything about the host machine, the one I'm trying to connect to, so I'm not sure if there are some sort of ip filters set up.
Flags: needinfo?(jezdez)
|
|
||
Comment 6•11 years ago
|
||
Yes, I can ssh to developeradm.private.scl3.mozilla.com when I'm connected to MozillaVPN. Do you need/want to know my client IP on the network to help debug?
|
|
Assignee | |
Comment 7•11 years ago
|
||
Thanks Luke.
I too, can connect to the MozillaVPN and ssh to developeradm.private.scl3.mozilla.com.
So why can't Jannis? Hmmm....
Jannis -- if it is not too much trouble, can you do a traceroute from your computer
to developeradm.private.scl3.mozilla.com after connecting to the MozillaVPN?
That should work, as you get to port 80... but so far this problem isn't making
sense (it will once we figure it out) so I'd just like the data point.
As well, when you ssh to developeradm.private.scl3.mozilla.com, what happens?
The connection just hangs?
Thanks very much -- Dave
Flags: needinfo?(jezdez)
|
|
Assignee | |
Comment 8•11 years ago
|
||
Aha!
I just learned something!
When you VPN in, there is an LDAP look up happening, and based on who you are, some
ip tables get applied to your session!
I am thinking that this may be the issue!
I'm going to ask them about this!
|
|
Assignee | |
Comment 9•11 years ago
|
||
OK, try it now?
They had your bits set so you could get to port 80, but not 22.
(sounds like just what you were seeing!)
|
|
Assignee | |
Comment 10•11 years ago
|
||
I should add that the "them" and "they" in comments 8 and 9 are IT sys admins who understand
the LDAP settings 100% better than I do
|
|
Reporter | |
Comment 11•11 years ago
|
||
Woohoo! That did it. Thank you, Dave. Much appreciated :)
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jezdez)
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•11 years ago
|
||
Happy Day! Sorry for the hassles. I have learned something from this and in the future will be
able to help others faster!
|
|
||
Updated•11 years ago
|
Flags: sec-review?(jstevensen)
|
||
Updated•3 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•