Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Adjust firewall to only block phx2 staging hosts in phx2.

Browse source
This commit is contained in:
Kevin Fenzi 2015-01-27 20:46:09 +00:00
parent ce8d1e9b7b
commit 32a6e5dc7c
1 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
roles/base/templates/iptables/iptables
View file

@ -24,8 +24,14 @@
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
# ban staging from non-staging hosts
{% if env != 'staging' and inventory_hostname not in groups['staging-friendly'] %}
#
# In the phx2 datacenter, both production and staging hosts are in the same
# subnet/vlan. We want production hosts to reject connectons from staging group hosts
# to prevent them from interfering with production. There are however a few hosts in
# production we have marked 'staging-friendly' that we do allow staging to talk to for
# mostly read-only data they need.
#
{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
{% for host in groups['staging'] %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited