Closed
Bug 731228
Opened 12 years ago
Closed 12 years ago
Setup Firewalling on Production
Categories
(Pancake Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
M1
People
(Reporter: st3fan, Assigned: gozer)
References
Details
Attachments
(2 files)
We need to look at what is running where and then decide on a simple firewall setup to limit the access that individual machines have to eachother. Ccing security folks.
Comment 1•12 years ago
|
||
Stefan, We're still waiting for pancake documentation. We've been asking for months. We need the opportunity to review pancake prior to deployment...which it sounds like has already happened. Please get us a detailed set of documentation and diagrams for pancake. We need to know information such as: What components do what What components talk to what systems What data is transmitted between systems
Comment 2•12 years ago
|
||
Stefan, Any update on this?
Comment 3•12 years ago
|
||
Stefan, Can you update this bug?
Reporter | ||
Comment 4•12 years ago
|
||
So even though i filed this bug it was totally not on my radar and i have missed all updates to it. Moving it to M1 to keep it in the 'what to do before release' list.
Target Milestone: --- → M1
Reporter | ||
Updated•12 years ago
|
Assignee: nobody → sarentz
Reporter | ||
Comment 5•12 years ago
|
||
Joe, I started a Wiki page at https://wiki.mozilla.org/Pancake_Infrastructure please let me know if this is good.
Reporter | ||
Comment 6•12 years ago
|
||
Reporter | ||
Comment 7•12 years ago
|
||
Added a PDF describing the current pancake architecture. both on Mozilla and Amazon infrastructure.
Reporter | ||
Comment 8•12 years ago
|
||
New wiki page to describe the Pancake Thumbnailer infrastructure at https://wiki.mozilla.org/Pancake_Thumbnailer_Infrastructure
Reporter | ||
Comment 9•12 years ago
|
||
We are now in the process of setting up a production environment. Cc'ing gozer on this bug as he has the best overview of iptables rules that were needed to get things going.
Reporter | ||
Updated•12 years ago
|
Assignee: sarentz → gozer
Reporter | ||
Comment 10•12 years ago
|
||
Assignee | ||
Comment 11•12 years ago
|
||
webservers (pancake-web[1-4]) have: -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT user-api (pancake-user-api1) has: -A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 4323 -j ACCEPT neo4j (pancake-neo4j1) has: -A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 7474 -j ACCEPT elasticsearch (pancake-elasticsearch1) has: -A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 9200 -j ACCEPT memcache1 (pancake-memcache1) [running membase] has: -A INPUT -s 10.8.110.0/24 -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT They all also have: -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•