Enabled firewall on OCC w7 moonshot profile

RESOLVED FIXED

Status

Infrastructure & Operations
RelOps
RESOLVED FIXED
7 months ago
3 months ago

People

(Reporter: dividehex, Assigned: markco)

Tracking

(Blocks: 1 bug)

Details

(Reporter)

Description

7 months ago
We need to setup OCC to turn on firewalling with a default deny policy similar to the one for w10 filed in bug 1386757

This is only for w7 on moonshot.  AWS will be handled entirely through security group policies.

The policy would look roughly like:
ALLOW ALL OUTGOING (engress)
ALLOW PING/ICMP INCOMING (ingress)
ALLOW SSH/VNC/RDP INCOMING (ingress)
DENY EVERYTHING ELSE INCOMING (ingress)

If there is a listening port that needs an except, call it out here.  But AFAIK, there should be with tc worker.  It is entirely pull/polling/outgoing.

SSH = port tcp/22
VNC = port tcp/5900
RDP = port tcp/3389
(Reporter)

Comment 1

7 months ago
:arr pointed out, I forgot to note ssh/vnc/rdp should be source limited to the jumphosts.

rejh1.srv.releng.scl3.mozilla.com has address 10.26.48.19
rejh2.srv.releng.scl3.mozilla.com has address 10.26.48.20

rejh1.srv.releng.mdc1.mozilla.com has address 10.49.48.100
rejh2.srv.releng.mdc1.mozilla.com has address 10.49.48.101

Updated

7 months ago
Depends on: 1387157

Updated

7 months ago
Blocks: 1379671

Updated

3 months ago
Blocks: 1416867
(Assignee)

Comment 2

3 months ago
The only the connection method that is active on the Windows OCC hardware is VNC and the firewall rules are set up through MDT and will be ported to OCC in the future.
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.