We need to setup OCC to turn on firewalling with a default deny policy similar to the one for w10 filed in bug 1386757 This is only for w7 on moonshot. AWS will be handled entirely through security group policies. The policy would look roughly like: ALLOW ALL OUTGOING (engress) ALLOW PING/ICMP INCOMING (ingress) ALLOW SSH/VNC/RDP INCOMING (ingress) DENY EVERYTHING ELSE INCOMING (ingress) If there is a listening port that needs an except, call it out here. But AFAIK, there should be with tc worker. It is entirely pull/polling/outgoing. SSH = port tcp/22 VNC = port tcp/5900 RDP = port tcp/3389
:arr pointed out, I forgot to note ssh/vnc/rdp should be source limited to the jumphosts. rejh1.srv.releng.scl3.mozilla.com has address 10.26.48.19 rejh2.srv.releng.scl3.mozilla.com has address 10.26.48.20 rejh1.srv.releng.mdc1.mozilla.com has address 10.49.48.100 rejh2.srv.releng.mdc1.mozilla.com has address 10.49.48.101
The only the connection method that is active on the Windows OCC hardware is VNC and the firewall rules are set up through MDT and will be ported to OCC in the future.
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.