Closed Bug 1386872 Opened 7 years ago Closed 7 years ago

Enabled firewall on OCC w7 moonshot profile

Categories

(Infrastructure & Operations :: RelOps: General, task)

Product:
Infrastructure & Operations
Component:
RelOps: General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dividehex, Assigned: markco)

References

Details

We need to setup OCC to turn on firewalling with a default deny policy similar to the one for w10 filed in bug 1386757

This is only for w7 on moonshot.  AWS will be handled entirely through security group policies.

The policy would look roughly like:
ALLOW ALL OUTGOING (engress)
ALLOW PING/ICMP INCOMING (ingress)
ALLOW SSH/VNC/RDP INCOMING (ingress)
DENY EVERYTHING ELSE INCOMING (ingress)

If there is a listening port that needs an except, call it out here.  But AFAIK, there should be with tc worker.  It is entirely pull/polling/outgoing.

SSH = port tcp/22
VNC = port tcp/5900
RDP = port tcp/3389
:arr pointed out, I forgot to note ssh/vnc/rdp should be source limited to the jumphosts.

rejh1.srv.releng.scl3.mozilla.com has address 10.26.48.19
rejh2.srv.releng.scl3.mozilla.com has address 10.26.48.20

rejh1.srv.releng.mdc1.mozilla.com has address 10.49.48.100
rejh2.srv.releng.mdc1.mozilla.com has address 10.49.48.101
The only the connection method that is active on the Windows OCC hardware is VNC and the firewall rules are set up through MDT and will be ported to OCC in the future.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.