Closed
Bug 1184608
Opened 9 years ago
Closed 9 years ago
tracking bug for crashplan policy to office fws
Categories
(Infrastructure & Operations Graveyard :: NetOps: Office ACL Requests, task)
Infrastructure & Operations Graveyard
NetOps: Office ACL Requests
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: van, Assigned: van)
Details
in bug 1168610, we created a crashplan policy for fw1.ops.par1 because it was a new server set up. the server in par1 thinks it is the master and will need to hand off the master role to the server in scl3. lon1 and tor1 didn't need this policy in place, however, these servers were set up many moons ago so things might have changed since then or they were set up locally before being shipped off.
we'll need to push the configs to the other office firewalls in case we ever need to replace/upgrade/rebuild the backup server. this will likely bounce ipsec tunnels so we'll need to apply them during off hours.
Assignee | ||
Updated•9 years ago
|
Assignee: network-operations → vle
Assignee | ||
Comment 1•9 years ago
|
||
config pushed out to remaining offices with backup server missing policy.
vle@fw1.ops.tor1.mozilla.net# show | compare rollback 1
[edit security address-book global]
address office-nvr_9 { ... }
+ address smokeping1.private.scl3_0 10.22.75.72/32;
address admin-hosts_0 { ... }
[edit security address-book global]
address wireless-controllers_5 { ... }
+ address clientbackup.dmz.scl3_0 10.22.74.170/32;
address building-ww_0 { ... }
[edit security address-book global]
address officebadging1.corpdmz.scl3_0 { ... }
+ address officebadging1.corpdmz.scl3_1 10.22.72.144/32;
+ address sec-ww_0 10.242.20.0/24;
+ address sec-ww_1 10.243.20.0/24;
+ address sec-ww_2 10.244.20.0/24;
+ address sec-ww_3 10.245.20.0/24;
+ address sec-ww_4 10.246.20.0/24;
+ address sec-ww_5 10.247.20.0/24;
+ address sec-ww_6 10.248.20.0/24;
+ address sec-ww_7 10.249.20.0/24;
+ address sec-ww_8 10.251.20.0/24;
+ address sec-ww_9 10.252.20.0/24;
address cam-ww_0 { ... }
[edit security address-book global]
address-set office-nvr { ... }
+ address-set smokeping1.private.scl3 {
+ address smokeping1.private.scl3_0;
+ }
address-set admin-hosts { ... }
[edit security address-book global]
address-set wireless-controllers { ... }
+ address-set clientbackup.dmz.scl3 {
+ address clientbackup.dmz.scl3_0;
+ }
address-set building-ww { ... }
[edit security address-book global address-set officebadging1.corpdmz.scl3]
address officebadging1.corpdmz.scl3_0 { ... }
+ address officebadging1.corpdmz.scl3_1;
[edit security address-book global]
address-set officebadging1.corpdmz.scl3 { ... }
+ address-set sec-ww {
+ address sec-ww_0;
+ address sec-ww_1;
+ address sec-ww_2;
+ address sec-ww_3;
+ address sec-ww_4;
+ address sec-ww_5;
+ address sec-ww_6;
+ address sec-ww_7;
+ address sec-ww_8;
+ address sec-ww_9;
+ }
address-set cam-ww { ... }
[edit security policies from-zone corp to-zone vpn]
policy victor_camera_feed { ... }
+ policy corp-smokeping--http {
+ match {
+ source-address corp-ww;
+ destination-address smokeping1.private.scl3;
+ application corp-smokeping--http-app;
+ }
+ then {
+ permit;
+ }
+ }
[edit security policies from-zone vpn to-zone private]
policy wireless-controllers--any { ... }
+ policy crashplan-inbound {
+ match {
+ source-address clientbackup.dmz.scl3;
+ destination-address crashplan-hosts;
+ application crashplan-inbound-app;
+ }
+ then {
+ permit;
+ }
+ }
[edit security policies]
from-zone vpn to-zone building { ... }
+ from-zone sec to-zone private {
+ policy dns {
+ match {
+ source-address any;
+ destination-address [ admin-hosts admin1a.private.akl1 admin1a.private.ber1 admin1a.private.lon1 admin1a.private.mtv2 admin1a.private.par1 admin1a.private.pdx1 admin1a.private.tor1 admin1a.private.tpe1 admin1a.private.yvr1 ];
+ application dns-app;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone sec to-zone vpn {
+ policy sec-badging-any {
+ match {
+ source-address sec-ww;
+ destination-address officebadging1.corpdmz.scl3;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone vpn to-zone sec {
+ policy sec-badging-any {
+ match {
+ source-address officebadging1.corpdmz.scl3;
+ destination-address sec-ww;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
from-zone building to-zone corp { ... }
[edit security policies]
from-zone corp to-zone cam { ... }
+ from-zone cam to-zone private {
+ policy dns {
+ match {
+ source-address any;
+ destination-address [ admin-hosts admin1a.private.akl1 admin1a.private.ber1 admin1a.private.lon1 admin1a.private.mtv2 admin1a.private.par1 admin1a.private.pdx1 admin1a.private.tor1 admin1a.private.tpe1 admin1a.private.yvr1 ];
+ application dns-app;
+ }
+ then {
+ permit;
+ }
+ }
+ }
from-zone cam to-zone vpn { ... }
[edit applications]
application victor_camera_feed-app6 { ... }
+ application corp-smokeping--http-app1 {
+ term t1 protocol tcp destination-port 80;
+ }
application dhcp-app1 { ... }
[edit applications application crashplan-app1]
- term t1 protocol tcp destination-port 4282;
+ term t1 protocol tcp destination-port 4280;
[edit applications application crashplan-app2]
- term t2 protocol tcp destination-port 4285;
+ term t2 protocol tcp destination-port 4282;
[edit applications]
application crashplan-app2 { ... }
+ application crashplan-app3 {
+ term t3 protocol tcp destination-port 4285;
+ }
application filter-smtp-app1 { ... }
[edit applications]
application tableau_voip_cdr-app1 { ... }
+ application crashplan-inbound-app1 {
+ term t1 protocol tcp destination-port 4280;
+ }
+ application crashplan-inbound-app2 {
+ term t2 protocol tcp destination-port 4282;
+ }
+ application crashplan-inbound-app3 {
+ term t3 protocol tcp destination-port 4285;
+ }
application victor-camera-feed-app1 { ... }
[edit applications]
application-set victor_camera_feed-app { ... }
+ application-set corp-smokeping--http-app {
+ application corp-smokeping--http-app1;
+ }
application-set dhcp-app { ... }
[edit applications application-set crashplan-app]
application crashplan-app2 { ... }
+ application crashplan-app3;
[edit applications]
application-set tableau_voip_cdr-app { ... }
+ application-set crashplan-inbound-app {
+ application crashplan-inbound-app1;
+ application crashplan-inbound-app2;
+ application crashplan-inbound-app3;
+ }
application-set victor-camera-feed-app { ... }
{primary:node0}[edit]
vans-MacBook-Pro:logs vle$ cat fw1.ops.lon1.mozilla.net.diff
[edit security address-book global]
address office-nvr_9 { ... }
+ address smokeping1.private.scl3_0 10.22.75.72/32;
address admin-hosts_0 { ... }
[edit security address-book global]
address wireless-controllers_5 { ... }
+ address clientbackup.dmz.scl3_0 10.22.74.170/32;
address building-ww_0 { ... }
[edit security address-book global]
address officebadging1.corpdmz.scl3_0 { ... }
+ address officebadging1.corpdmz.scl3_1 10.22.72.144/32;
+ address sec-ww_0 10.242.20.0/24;
+ address sec-ww_1 10.243.20.0/24;
+ address sec-ww_2 10.244.20.0/24;
+ address sec-ww_3 10.245.20.0/24;
+ address sec-ww_4 10.246.20.0/24;
+ address sec-ww_5 10.247.20.0/24;
+ address sec-ww_6 10.248.20.0/24;
+ address sec-ww_7 10.249.20.0/24;
+ address sec-ww_8 10.251.20.0/24;
+ address sec-ww_9 10.252.20.0/24;
address cam-ww_0 { ... }
[edit security address-book global]
address-set office-nvr { ... }
+ address-set smokeping1.private.scl3 {
+ address smokeping1.private.scl3_0;
+ }
address-set admin-hosts { ... }
[edit security address-book global]
address-set wireless-controllers { ... }
+ address-set clientbackup.dmz.scl3 {
+ address clientbackup.dmz.scl3_0;
+ }
address-set building-ww { ... }
[edit security address-book global address-set officebadging1.corpdmz.scl3]
address officebadging1.corpdmz.scl3_0 { ... }
+ address officebadging1.corpdmz.scl3_1;
[edit security address-book global]
address-set officebadging1.corpdmz.scl3 { ... }
+ address-set sec-ww {
+ address sec-ww_0;
+ address sec-ww_1;
+ address sec-ww_2;
+ address sec-ww_3;
+ address sec-ww_4;
+ address sec-ww_5;
+ address sec-ww_6;
+ address sec-ww_7;
+ address sec-ww_8;
+ address sec-ww_9;
+ }
address-set cam-ww { ... }
[edit security policies from-zone corp to-zone vpn]
policy victor_camera_feed { ... }
+ policy corp-smokeping--http {
+ match {
+ source-address corp-ww;
+ destination-address smokeping1.private.scl3;
+ application corp-smokeping--http-app;
+ }
+ then {
+ permit;
+ }
+ }
[edit security policies from-zone vpn to-zone private]
policy wireless-controllers--any { ... }
+ policy crashplan-inbound {
+ match {
+ source-address clientbackup.dmz.scl3;
+ destination-address crashplan-hosts;
+ application crashplan-inbound-app;
+ }
+ then {
+ permit;
+ }
+ }
[edit security policies]
from-zone vpn to-zone building { ... }
+ from-zone sec to-zone private {
+ policy dns {
+ match {
+ source-address any;
+ destination-address [ admin-hosts admin1a.private.akl1 admin1a.private.ber1 admin1a.private.lon1 admin1a.private.mtv2 admin1a.private.par1 admin1a.private.pdx1 admin1a.private.tor1 admin1a.private.tpe1 admin1a.private.yvr1 ];
+ application dns-app;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone sec to-zone vpn {
+ policy sec-badging-any {
+ match {
+ source-address sec-ww;
+ destination-address officebadging1.corpdmz.scl3;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone vpn to-zone sec {
+ policy sec-badging-any {
+ match {
+ source-address officebadging1.corpdmz.scl3;
+ destination-address sec-ww;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
from-zone building to-zone corp { ... }
[edit security policies]
from-zone corp to-zone cam { ... }
+ from-zone cam to-zone private {
+ policy dns {
+ match {
+ source-address any;
+ destination-address [ admin-hosts admin1a.private.akl1 admin1a.private.ber1 admin1a.private.lon1 admin1a.private.mtv2 admin1a.private.par1 admin1a.private.pdx1 admin1a.private.tor1 admin1a.private.tpe1 admin1a.private.yvr1 ];
+ application dns-app;
+ }
+ then {
+ permit;
+ }
+ }
+ }
from-zone cam to-zone vpn { ... }
[edit applications]
application victor_camera_feed-app6 { ... }
+ application corp-smokeping--http-app1 {
+ term t1 protocol tcp destination-port 80;
+ }
application dhcp-app1 { ... }
[edit applications application crashplan-app1]
- term t1 protocol tcp destination-port 4282;
+ term t1 protocol tcp destination-port 4280;
[edit applications application crashplan-app2]
- term t2 protocol tcp destination-port 4285;
+ term t2 protocol tcp destination-port 4282;
[edit applications]
application crashplan-app2 { ... }
+ application crashplan-app3 {
+ term t3 protocol tcp destination-port 4285;
+ }
application filter-smtp-app1 { ... }
[edit applications]
application tableau_voip_cdr-app1 { ... }
+ application crashplan-inbound-app1 {
+ term t1 protocol tcp destination-port 4280;
+ }
+ application crashplan-inbound-app2 {
+ term t2 protocol tcp destination-port 4282;
+ }
+ application crashplan-inbound-app3 {
+ term t3 protocol tcp destination-port 4285;
+ }
application victor-camera-feed-app1 { ... }
[edit applications]
application-set victor_camera_feed-app { ... }
+ application-set corp-smokeping--http-app {
+ application corp-smokeping--http-app1;
+ }
application-set dhcp-app { ... }
[edit applications application-set crashplan-app]
application crashplan-app2 { ... }
+ application crashplan-app3;
[edit applications]
application-set tableau_voip_cdr-app { ... }
+ application-set crashplan-inbound-app {
+ application crashplan-inbound-app1;
+ application crashplan-inbound-app2;
+ application crashplan-inbound-app3;
+ }
application-set victor-camera-feed-app { ... }
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•