Freeze Break Request: iptables rule for fedmsg+copr

Patrick Uiterwijk puiterwijk at gmail.com
Fri Nov 8 17:17:07 UTC 2013 

+1
On Nov 8, 2013 4:31 PM, "Ralph Bean" <rbean at redhat.com> wrote:

> We're looking to publish fedmsg messages from the copr backend.  The
> node that lives on is in the cloud and so will need to follow the same
> route as the secondary arch compose nodes.  We have an inbound fedmsg
> relay running on busgateway01, port 9941, and haproxy proxies
> connections to it from hub.fedoraproject.org, port 9941.
>
> We have that external port firewalled to only allow connections from
> the secondary arch compose nodes, and the copr backend!
>
> I only discovered today, as we went to test this for the first time,
> that the IP listed in manifests/services/proxy.pp is incorrect.
>
> I'd like to make this change to set it straight:
>
> diff --git a/manifests/services/proxy.pp b/manifests/services/proxy.pp
> index 01b39d3..529b242 100644
> --- a/manifests/services/proxy.pp
> +++ b/manifests/services/proxy.pp
> @@ -1012,7 +1012,7 @@ if $puppetEnvironment == 'staging'{
>          tcpPorts => [ 80, 443, 873, 8080, 6081, 9939, 9940],
>          custom => [
>              # Allow copr-be.cloud to talk to the inbound relay.
> -            '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.142 -j
> ACCEPT',
> +            '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j
> ACCEPT',
>              # Also, ppc-composer.qa.fedoraproject.org (secondary arch)
>              '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j
> ACCEPT',
>              # Also, s390-hub01.qa.fedoraproject.org (secondary arch)
>
>
> This is potentially high impact in that it will be distributed to all of
> our proxies (which everything depends on).  On the other hand, it is a
> really simple change that only modifies the last chunk of that ip address.
>
> Can I get two +1's?
>
> -Ralph
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20131108/cfb5d499/attachment.html>

More information about the infrastructure mailing list