Closed Bug 1058882 Opened 10 years ago Closed 10 years ago

Open flows from windows, osx test slaves to proxxy1.srv.releng.scl3.mozilla.com (10.26.48.46) ports 80,443

Categories

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: DC ACL Request
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: catlee, Assigned: dcurado)

References

Details

Our windows, osx test slaves need access to proxxy in scl3 to access cached files.
test & wintest zones -> proxxy1.srv.releng.scl3.mozilla.com:{80,443}/tcp Call the address-set scl3-proxxy (yes, two x's)
So you guys are saying you'd like a security policy (policies) that allow: all hosts in the "test" zone to be able to reach ports 80/tcp and 443/tcp on proxxy1.srv.releng.scl3.mozilla.com and all hosts in the "wintest" zone to be able to reach ports 80/tcp and 443/tcp on proxxy1.srv.releng.scl3.mozilla.com right? Thanks for the confirmation.
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
Flags: needinfo?(catlee)
Yes, that's right. Thanks!
Flags: needinfo?(catlee)
catlee: Please see Dustin's clarification in comment #1. If you put yourself in my shoes, the request: "Our windows, osx test slaves need access to proxxy in scl3 to access cached files" means pretty much nothing to me. I have no idea where the window and osx test slaves reside, and I have no idea of the FQDN or IP address or even what "proxxy" is... never mind cached files, and what tcp or udp port numbers that would require. This is meant as constructive criticism. I do a lot of firewall change bugs, and over time I'm seeing requests fall into two categories 1) those with the required information provided, which take 10-15 minutes each to complete. 2) those without the required information provided, which take well over an hour each to complete. The latter of these requires translation, research, and some number of back-and-forth Q and A with the requester. Here's an excellent example of a not-totally-basic request, yet one which included all the information required: https://bugzilla.mozilla.org/show_bug.cgi?id=1058569 That request required me to add all the new hosts, create an address-set (a pointer to a list of all those new hosts), to configure a new application type in the firewall config, and finally to write the security policy using all the above mentioned elements. Yet, because all the information was included -- in 115 characters, it could have been tweeted! -- it took me 10 minutes.
Thanks Dave, I'll try and keep that in mind. From my point of view as a PHB, I don't always know exactly where the different types of machines are, especially in a way that would make sense to netops. I'm hoping this is something relops can help bridge here.
a) To me, PHB == Per Hop Behavior (as in PHB for QoS in TCP/IP networking) b) It's pretty simple really: netops understands IP addresses and port numbers. If you specify things in terms on IP addresses and port numbers, and ooooh for extra points, you can specify udp vs tcp with the port numbers (!), then life will be easier for everyone. =-) I'll get this bug done asap, by the way. Dustin and I made a big change to the releng firewall this morning, and I'm trying to hold off on making any further changes until we're sure that I don't need to rollback to the previous config. =-) TIA for your understanding there.
OK, these security policies should be in place now. Please try it out, and let me know if there are any problems? Thanks -- Dave From zone: test, To zone: srv Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: proxxy1.scl3: 10.26.48.46/32 Application: junos-http IP protocol: tcp, ALG: http, Inactivity timeout: 300 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] ------- From zone: wintest, To zone: srv Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: proxxy1.scl3: 10.26.48.46/32 Application: junos-http IP protocol: tcp, ALG: http, Inactivity timeout: 300 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443]
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.