Close os machinectl port from external

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2019-05-25 02:31:00 +02:00 · 2019-05-25 02:31:00 +02:00 · 1878e49a6d
commit 1878e49a6d
parent d451116939
1 changed files with 2 additions and 4 deletions
--- a/inventory/group_vars/os_proxies
+++ b/inventory/group_vars/os_proxies
@ -13,14 +13,12 @@ tcp_ports: [
    6443,
    # For haproxy status
    8080,
-    # For machinectl api
-    22623,
-    # 9941 is closed generally, is for the inbound fedmsg and is covered in
-    # custom_rules
 ]

 custom_rules: [
    # Needed for keepalived
    '-A INPUT -d 224.0.0.0/8 -j ACCEPT',
    '-A INPUT -p vrrp -j ACCEPT',
+    # machinectl api
+    '-A INPUT -p tcp --dport 22623 --src 38.145.48.0/27 -j ACCEPT',
 ]