Allow access to carbon.hostedgraphite.com:2003 from cruncher.srv.releng.scl3.mozilla.com

RESOLVED FIXED

Status

Infrastructure & Operations
NetOps: DC ACL Request
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: catlee, Assigned: dcurado)

Tracking

Details

(Reporter)

Description

3 years ago
Sometime around June 19th we stopped being able to post metrics to carbon.hostedgraphite.com:2003.

Did something change with the firewall configs that would account for this?
set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match source-address any
set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match destination-address hostedgraphite
set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match application carbon
set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon then permit
set security zones security-zone untrust address-book address hostedgraphite-1 88.198.22.7/32
set security zones security-zone untrust address-book address hostedgraphite-2 78.46.92.172/32
set security zones security-zone untrust address-book address hostedgraphite-3 78.46.93.167/32
set security zones security-zone untrust address-book address hostedgraphite-4 178.63.9.197/32
set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-1
set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-2
set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-3
set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-4

yet

dustin@ramanujan ~ $ host carbon.hostedgraphite.com 
carbon.hostedgraphite.com has address 188.40.44.78
carbon.hostedgraphite.com has address 178.63.102.147
carbon.hostedgraphite.com has address 85.10.209.147
carbon.hostedgraphite.com has address 178.63.111.130
carbon.hostedgraphite.com has address 178.63.55.74
carbon.hostedgraphite.com has address 144.76.225.8
carbon.hostedgraphite.com has address 78.46.164.248
carbon.hostedgraphite.com has address 178.63.67.197
carbon.hostedgraphite.com has address 46.4.107.110
carbon.hostedgraphite.com has address 178.63.52.69
carbon.hostedgraphite.com has address 178.63.87.135
carbon.hostedgraphite.com has address 178.63.61.13
carbon.hostedgraphite.com has address 78.46.96.16
carbon.hostedgraphite.com has address 176.9.31.240

It seems we should contact hostedgraphite and find out if they have a stable set of IP addresses which we can whitelist.
(Reporter)

Comment 2

3 years ago
hostedgraphite doesn't maintain stable IP addresses for their endpoints. they recommend regularly resolving the domain name and updating the whitelist with the A records.

Can we update the firewalls with the current addresses for now?
netops: that's the list in comment 1, and should replace the existing "hostedgraphite" address-set

To my knowledge, there's no way to make these changes automatically (e.g., firewall resolves the hostname periodically).  If that's not the case, let me know!

Please leave the bug open and I will update fwunit to verify that these remain correct.  That will at least alert us when the address-set needs to be re-written
(Assignee)

Comment 4

3 years ago
working on this...

doing business with a SaaS company who can't maintain static IP addresses is (obviously) kind of a 
problem.  Doesn't really scale for us.

I recommend sending the vendor this feedback.

I have updated the address-set to use the above listed 14 new IP addresses.

dcurado@fw1.ops.releng.scl3.mozilla.net> ...security-zone untrust address-book address-set hostedgraphite                  
address hostedgraphite-1;
address hostedgraphite-2;
address hostedgraphite-3;
address hostedgraphite-4;
address hostedgraphite-5;
address hostedgraphite-6;
address hostedgraphite-7;
address hostedgraphite-8;
address hostedgraphite-9;
address hostedgraphite-10;
address hostedgraphite-11;
address hostedgraphite-12;
address hostedgraphite-13;
address hostedgraphite-14;

Please let me know if there are any problems?
Thanks -- Dave
Assignee: network-operations → dcurado
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.