Closed
Bug 755166
Opened 13 years ago
Closed 13 years ago
Community VLAN20 should be able to reach Labs VLAN21
Categories
(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)
Infrastructure & Operations Graveyard
NetOps: DC ACL Request
Tracking
(Not tracked)
VERIFIED
WORKSFORME
People
(Reporter: gozer, Assigned: ravi)
References
Details
Both these VLANs are somewhat public VLANS, at least VLAN22 in labs is meant to be treated as DMZ/Public facing.
It looks like hosts in the comunity network (VLAN20) currently can't reach anything in there. For instance, https://heatmap.mozillalabs.com/.
VLAN20 should have the same access privileges into VLAN22 as the rest of the internet.
|
Reporter | |
Comment 1•13 years ago
|
||
Labs public VLAN is 21, not 22, corrected.
Summary: Community VLAN20 should be able to reach Labs VLAN22 → Community VLAN20 should be able to reach Labs VLAN21
|
Assignee | |
Updated•13 years ago
|
Assignee: network-operations → ravi
|
|
Assignee | |
Comment 2•13 years ago
|
||
Noted.
I've created a global policy, public-labs, for inbound flows to labs that covers the community zone and internet.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 3•13 years ago
|
||
Doesn't seem to work. I've tried from
sb-win32-tobx (63.245.223.20)(community vlan) to telnet to
63.245.223.165(labs public vlan) port 80, and it just times out. ICMP doesn't work either.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 4•13 years ago
|
||
Ravi, any updates on this? This blocks getting a new Lightning beta build out of the door.
No longer blocks: 756116
|
|
Assignee | |
Comment 5•13 years ago
|
||
(In reply to Philippe M. Chiasson (:gozer) from comment #0)
[...]
> VLAN20 should have the same access privileges into VLAN22 as the rest of the
> internet.
The request was completed as requested. I'm able to connect from jump1. Make sure your netmask is a /25 (255.255.255.128).
[root@jump1.community.scl3 ~]# nc -vz 63.245.223.165 80
Connection to 63.245.223.165 80 port [tcp/http] succeeded!
ravi@fw1.scl3# show security policies from-zone untrust to-zone labs
apply-groups [ public-labs global-policies global-deny ];
apply-groups-except global-policies;
{primary:node0}[edit]
ravi@fw1.scl3# show security policies from-zone community to-zone labs
apply-groups [ public-labs global-policies global-deny ];
apply-groups-except global-policies;
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 6•13 years ago
|
||
Port 80 works for me too, but port 22 gives me Connection timed out. I don't know if the master just doesn't have ssh running or if its a policy issue.
|
|
Assignee | |
Comment 7•13 years ago
|
||
Because ssh was never, to my knowledge, asked for.
Here are the policies and their respective bugs.
from-zone <*> to-zone labs {
/* 739761,748018,755166 */
policy smtp {
/* 739761,748018,755166 */
policy http {
/* 739761,748018,755166 */
policy https {
/* 739761,748018,755166 */
policy ping {
|
|
||
Comment 8•13 years ago
|
||
Ok, sorry, I wasn't aware. I'll check with gozer for more bugs, as I will need to ssh from jump1 to the master for admin work.
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 9•13 years ago
|
||
(In reply to Philipp Kewisch [:Fallen] (away until May 28th) from comment #8)
> Ok, sorry, I wasn't aware. I'll check with gozer for more bugs, as I will
> need to ssh from jump1 to the master for admin work.
Don't worry about that, the access path to the master will be different for you.
|
|
Reporter | |
Comment 10•13 years ago
|
||
Bingo, it was the win32 box that had the wrong netmask. Fixed now.
|
||
Updated•12 years ago
|
Product: mozilla.org → Infrastructure & Operations
|
||
Updated•3 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•