Merge pull request #47 from jovial/seed-firewall

Update firewall for seed node
RSE-Cambridge · Mar 29, 2019 · fff729e · fff729e
2 parents 4043c4e + 5a08348
commit fff729e
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 24 deletions.
diff --git a/etc/kayobe/inventory/group_vars/seed/firewall b/etc/kayobe/inventory/group_vars/seed/firewall
@@ -8,11 +8,19 @@ firewallgen_ipv4_input_allow_rules:
     proto: tcp
     destination: "127.0.0.1"
     comment: "hint: used by 'master'"
+  - interface: "lo"
+    port: 53
+    proto: tcp
+    comment: "hint: used by 'dnsmasq' in docker container 'bifrost_deploy'"
   - interface: "lo"
     port: 53
     proto: tcp
     destination: "127.0.0.1"
     comment: "hint: used by 'dnsmasq' in docker container 'bifrost_deploy'"
+  - interface: "lo"
+    port: 3306
+    proto: tcp
+    comment: "hint: used by 'mysqld' in docker container 'bifrost_deploy'"
   - interface: "lo"
     port: 4369
     proto: tcp
@@ -21,6 +29,10 @@ firewallgen_ipv4_input_allow_rules:
     port: 5050
     proto: tcp
     comment: "hint: used by 'ironic-inspecto' in docker container 'bifrost_deploy'"
+  - interface: "lo"
+    port: 5672
+    proto: tcp
+    comment: "hint: used by 'beam.smp' in docker container 'bifrost_deploy'"
   - interface: "lo"
     port: 25672
     proto: tcp
@@ -34,16 +46,6 @@ firewallgen_ipv4_input_allow_rules:
     proto: tcp
     destination: "{{ ilab_net_name | net_ip }}"
     comment: "SSH via ILAB"
-  - interface: "{{ internal_net_name | net_interface }}"
-    port: 9197
-    proto: tcp
-    destination: "{{ internal_net_name | net_ip }}"
-    comment: "mtail"
-  - interface: "{{ internal_net_name | net_interface }}"
-    port: 18080
-    proto: tcp
-    destination: "{{ internal_net_name | net_ip }}"
-    comment: "cadvisor"
   - interface: "{{ provision_oc_net_interface }}"
     port: 53
     proto: tcp
@@ -57,15 +59,19 @@ firewallgen_ipv4_input_allow_rules:
     port: 8080
     proto: tcp
     comment: "hint: used by 'nginx' in docker container 'bifrost_deploy'"
+  - interface: "{{ provision_oc_net_name | net_interface }}"
+    port: 4000
+    proto: tcp
+    comment: "hint: used by 'docker-proxy'"
   - interface: "docker0"
     port: 123
     proto: udp
     destination: "172.17.0.1"
     comment: "hint: used by 'ntpd'"
-  - interface: "{{ provision_oc_net_name | net_interface }}"
-    port: 5000
-    proto: tcp
-    destination: "{{ provision_oc_net_name | net_ip }}"
+  - interface: "lo"
+    port: 53
+    proto: udp
+    comment: "hint: used by 'dnsmasq' in docker container 'bifrost_deploy'"
   - interface: "lo"
     port: 53
     proto: udp

diff --git a/etc/kayobe/inventory/group_vars/seed/firewall-extra b/etc/kayobe/inventory/group_vars/seed/firewall-extra
@@ -0,0 +1,11 @@
+---
+
+firewallgen_ipv4_forward_allow:
+  - in-interface: "{{ ilab_net_interface }}"
+    out-interface: "{{ admin_oc_net_name | net_interface }}"
+    state: RELATED,ESTABLISHED
+  - in-interface: "{{ admin_oc_net_name | net_interface }}"
+    out-interface: "{{ ilab_net_interface }}"
+
+firewallgen_ipv4_snat:
+  - out-interface: "{{ ilab_net_interface }}"
diff --git a/etc/kayobe/inventory/group_vars/seed/firewallgen b/etc/kayobe/inventory/group_vars/seed/firewallgen
@@ -19,15 +19,20 @@ firewallgen_ipv4_input_allow_rewrite_rules_extra:
   - '. |= map( if .port == 4369 and .proto == "tcp"  then .interface = "lo" else . end)'
 # rabbit (doesn't seem to referenced in any config file)
   - '. |= map( if .port == 25672 and .proto == "tcp"  then .interface = "lo" else . end)'
+# bifrost mysql
+  - '. |= map( if .port == 3306 and .proto == "tcp"  then .interface = "lo" else . end)'
+# bifrost rabbitmq
+  - '. |= map( if .port == 5672 and .proto == "tcp"  then .interface = "lo" else . end)'
+# DNS ?
+  - '. |= map( if .port == 53 then .interface = "lo" else . end)'
+# docker-proxy for docker regsitry
+  - >-
+    . |= map( if .port == 4000 and .proto == "tcp" then
+            .interface = "{{ firewallgen_interface_tmpl % 'provision_oc_net_name' }}" else . end)
 
 firewallgen_ipv4_input_allow_custom_rules_extra:
-  # These are ipv4-mapped ipv6 addresses and don't show in ss -nlpt -4 output
-  - interface: "{{ firewallgen_interface_tmpl % 'provision_oc_net_name' }}"
-    port: 5000
-    proto: tcp
-    destination: "{% raw %}{{ provision_oc_net_name | net_ip }}{% endraw %}"
-  - interface: "{{ firewallgen_interface_tmpl % 'ilab_net_name' }}"
-    port: 22
-    proto: tcp
-    destination: "{% raw %}{{ ilab_net_name | net_ip }}{% endraw %}"
-    comment: SSH via ILAB
+ - interface: "{{ firewallgen_interface_tmpl % 'ilab_net_name' }}"
+   port: 22
+   proto: tcp
+   destination: "{% raw %}{{ ilab_net_name | net_ip }}{% endraw %}"
+   comment: SSH via ILAB