Adjust firewall rules for anitya.

inventory/group_vars/anitya-backend

@@ -7,13 +7,16 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-# Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+    # Need so that anitya-backend can talk fedmsg to our relay
+    '-A INPUT -p tcp -m tcp -s 140.211.169.230 --dport 9939 -j ACCEPT',
+ ]
 
-tcp_ports: [
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+# No other ports open.  no web service running here.
+#tcp_ports: []
 
 fas_client_groups: sysadmin-noc
 

inventory/group_vars/anitya-frontend

@@ -7,12 +7,8 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-# Note that, usually there are 16-32 ports listed here so that fedmsg can bind
-# to each of them (one for each wsgi thread).  We're not doing that here because
-# the anitya frontend is sitting on the vpn.  We could, but we'd like to reduce
-# vpn traffic.  Instead, we configure the anitya app to connect directly to the
-# fedmsg-relay sitting on busgateway01.vpn.fp.o and send its messages there.
-tcp_ports: [ 80, 443 ]
+# 9940 is for the anitya public relay
+tcp_ports: [ 80, 443, 9940 ]
 
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]