Closed
Bug 731228
Opened 13 years ago
Closed 13 years ago
Setup Firewalling on Production
Categories
(Pancake Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
M1
People
(Reporter: st3fan, Assigned: gozer)
References
Details
Attachments
(2 files)
We need to look at what is running where and then decide on a simple firewall setup to limit the access that individual machines have to eachother. Ccing security folks.
|
||
Comment 1•13 years ago
|
||
Stefan,
We're still waiting for pancake documentation. We've been asking for months. We need the opportunity to review pancake prior to deployment...which it sounds like has already happened.
Please get us a detailed set of documentation and diagrams for pancake.
We need to know information such as:
What components do what
What components talk to what systems
What data is transmitted between systems
|
|
||
Comment 2•13 years ago
|
||
Stefan,
Any update on this?
|
|
||
Comment 3•13 years ago
|
||
Stefan,
Can you update this bug?
|
Reporter | |
Comment 4•13 years ago
|
||
So even though i filed this bug it was totally not on my radar and i have missed all updates to it. Moving it to M1 to keep it in the 'what to do before release' list.
Target Milestone: --- → M1
|
|
Reporter | |
Updated•13 years ago
|
Assignee: nobody → sarentz
|
|
Reporter | |
Comment 5•13 years ago
|
||
Joe, I started a Wiki page at https://wiki.mozilla.org/Pancake_Infrastructure please let me know if this is good.
|
|
Reporter | |
Comment 6•13 years ago
|
||
|
|
Reporter | |
Comment 7•13 years ago
|
||
Added a PDF describing the current pancake architecture. both on Mozilla and Amazon infrastructure.
|
|
Reporter | |
Comment 8•13 years ago
|
||
New wiki page to describe the Pancake Thumbnailer infrastructure at https://wiki.mozilla.org/Pancake_Thumbnailer_Infrastructure
|
|
Reporter | |
Comment 9•13 years ago
|
||
We are now in the process of setting up a production environment. Cc'ing gozer on this bug as he has the best overview of iptables rules that were needed to get things going.
|
|
Reporter | |
Updated•13 years ago
|
Assignee: sarentz → gozer
|
|
Reporter | |
Comment 10•13 years ago
|
||
|
Assignee | |
Comment 11•13 years ago
|
||
webservers (pancake-web[1-4]) have:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
user-api (pancake-user-api1) has:
-A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 4323 -j ACCEPT
neo4j (pancake-neo4j1) has:
-A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 7474 -j ACCEPT
elasticsearch (pancake-elasticsearch1) has:
-A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 9200 -j ACCEPT
memcache1 (pancake-memcache1) [running membase] has:
-A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
They all also have:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•