Closed Bug 671176 Opened 14 years ago Closed 14 years ago

Allow IRC servers to connect to each other over the Internet

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: justdave, Assigned: dmoore)

Details

Right now, the IRC servers all link to each other over the VPN. We had an extended VPN outage tonight, and when I tried to fail the irc links over their external IPs, we discovered the ports weren't open to be able to do so. The inter-server links all operate on port 6665. Just for sanity, we should probably restrict these IPs to being able to connect to each other, so the source IPs should match, too. sand.mozilla.org has address 63.245.208.159 concrete.mozilla.org has address 63.245.216.214 gravel.mozilla.org has address 63.245.212.23 Those three IPs should all be able to connect to each other on port 6665 (which probably means opening that port from the other two IP addresses on each of the three colos). Thanks!
The end goal for the vpn is to have it capable of failing between the Internet and the P2P link. We shouldn't experience any long vpn outages once we get to that state. Will that be sufficient, or do you still want to remove the dependency on the vpn completely?
all paths from PHX to SJC will traverse the same SRX pair. That said the VPN will always be up and act as either a primary or backup.
(In reply to comment #1) > Will that be sufficient, or do you still want to remove the dependency on > the vpn completely? Yeah, that's probably fine. Was just looking for an alternate path, but if it auto-fails to a backup it ought to be fine.
Sounds like we have another known-in-advance outage for this network link planned though... can we get this route opened for now to help avoid downtime during tonight's outage, and then we can nuke it once the above-mentioned failover is actually in place and working?
These rules are now in place, as requested. As a side effect, concrete now has full static (inbound/outbound) NAT. gravel had no existing filtering on port 6665. It will require a simple iptables change to correct this.
Assignee: network-operations → dmoore
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
gravel isn't actually online at the moment anyway. Hope to get that up soon.
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.