Closed Bug 1386757 Opened 8 years ago Closed 7 years ago

Enabled firewall on OCC w10 moonshot profile

Categories

(Infrastructure & Operations :: RelOps: General, task)

Product:
Infrastructure & Operations
Component:
RelOps: General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dividehex, Assigned: markco)

References

Details

Since w10 on moonshot is not in production yet this would be a good time to enable the firewall w/default deny via OCC. This is only for w10 on moonshot. AWS will be handled entirely through security group policies. The policy would look roughly like: ALLOW ALL OUTGOING (engress) ALLOW PING/ICMP INCOMING (ingress) ALLOW SSH/VNC/RDP INCOMING (ingress) DENY EVERYTHING ELSE INCOMING (ingress) If there is a listening port that needs an except, call it out here. But AFAIK, there should be with tc worker. It is entirely pull/polling/outgoing. SSH = port tcp/22 VNC = port tcp/5900 RDP = port tcp/3389
We will also need a port open for KMS as well.
(In reply to Mark Cornmesser [:markco] from comment #1) > We will also need a port open for KMS as well. Disregard.
:arr pointed out, I forgot to note ssh/vnc/rdp should be source limited to the jumphosts. rejh1.srv.releng.scl3.mozilla.com has address 10.26.48.19 rejh2.srv.releng.scl3.mozilla.com has address 10.26.48.20 rejh1.srv.releng.mdc1.mozilla.com has address 10.49.48.100 rejh2.srv.releng.mdc1.mozilla.com has address 10.49.48.101
The only the connection method that is active on the Windows OCC hardware is VNC and the firewall rules are set up through MDT and will be ported to OCC int eh future.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.