allow log01 to get logs from proxies and other hosts. fix both iptables and rsyncd

2020-06-12 11:01:08 -04:00 · 2020-06-12 11:01:08 -04:00 · f65a48aa61
commit f65a48aa61
parent dc92c9d924
22 changed files with 55 additions and 59 deletions
--- a/inventory/group_vars/badges_web
+++ b/inventory/group_vars/badges_web
@ -15,7 +15,7 @@ wsgi_threads: 2
 tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran

--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -6,7 +6,7 @@ num_cpus: 10
 tcp_ports: [ 80, 443, 8442, 8443 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome,sysadmin-copr,sysadmin-osbs,sysadmin-odcs

--- a/inventory/group_vars/certgetter
+++ b/inventory/group_vars/certgetter
@ -10,6 +10,6 @@ num_cpus: 2
 tcp_ports: [ 80, 443 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-main
--- a/inventory/group_vars/datagrepper
+++ b/inventory/group_vars/datagrepper
@ -10,7 +10,7 @@ num_cpus: 2
 tcp_ports: [ 80, 443, 6996 ]
 # Neeed for rsync from log01 for logs.
 custom_rules: [
-    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 ]

--- a/inventory/group_vars/fedocal
+++ b/inventory/group_vars/fedocal
@ -13,7 +13,7 @@ tcp_ports: [ 80, 443,
    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran

--- a/inventory/group_vars/github2fedmsg
+++ b/inventory/group_vars/github2fedmsg
@ -15,7 +15,7 @@ wsgi_threads: 2
 tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-veteran

--- a/inventory/group_vars/kerneltest
+++ b/inventory/group_vars/kerneltest
@ -15,7 +15,7 @@ wsgi_threads: 1
 tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-veteran

--- a/inventory/group_vars/kojipkgs
+++ b/inventory/group_vars/kojipkgs
@ -7,7 +7,7 @@ num_cpus: 16

 custom_rules: [
    # Need for rsync from log01 for logs.
-    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 ]

--- a/inventory/group_vars/mbs_frontend
+++ b/inventory/group_vars/mbs_frontend
@ -14,7 +14,7 @@ wsgi_threads: 2
 tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran

--- a/inventory/group_vars/odcs_backend
+++ b/inventory/group_vars/odcs_backend
@ -28,7 +28,7 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
 nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran

--- a/inventory/group_vars/odcs_frontend
+++ b/inventory/group_vars/odcs_frontend
@ -23,7 +23,7 @@ tcp_ports: [
 udp_ports: [ 111 ]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran

--- a/inventory/group_vars/packages
+++ b/inventory/group_vars/packages
@ -13,7 +13,7 @@ tcp_ports: [ 80, 443,
    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]

 # Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]

 fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages

--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@ -41,7 +41,7 @@ tcp_ports: [
 ]
 custom_rules: [
    # Need for rsync from log01 for logs.
-    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',

--- a/inventory/group_vars/value
+++ b/inventory/group_vars/value
@ -16,11 +16,11 @@ tcp_ports: [ 80, 443,

 custom_rules: [
    # Needed for rsync from log01 for logs.
-    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
    # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
-    '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5050 -j ACCEPT',
-    '-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5050 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT',
    # batcave01 also needs access to announce commits.
    '-A INPUT -p tcp -m tcp -s 192.168.20.41 --dport 5050 -j ACCEPT',
--- a/inventory/group_vars/zanata2fedmsg
+++ b/inventory/group_vars/zanata2fedmsg
@ -18,7 +18,7 @@ tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [
-    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 ]

--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@ -30,8 +30,8 @@
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT

 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %}
 #
@ -41,7 +41,7 @@
 # production we have marked 'staging-friendly' that we do allow staging to talk to for 
 # mostly read-only data they need.
 #
-A INPUT -s 10.5.128.0/24 -j REJECT --reject-with icmp-host-prohibited
+
 {% endif %}

 {% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
@ -90,7 +90,7 @@
 {% endif %}
 {% endfor %}
 # nagios
-A INPUT -p tcp -m tcp --dport {{ port }} --src  10.5.126.41 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport {{ port }} --src  10.3.163.10 -j ACCEPT
 {% endfor %}
 {% endif %}

--- a/roles/base/templates/iptables/iptables.kojibuilder_iad2
+++ b/roles/base/templates/iptables/iptables.kojibuilder_iad2
@ -74,8 +74,6 @@
 -A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22  -j ACCEPT
 {% endif %}

-# http to pull sources from pkgs lookaside
-#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT

 # https git on pagure.io
 -A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT
--- a/roles/base/templates/iptables/iptables.releng
+++ b/roles/base/templates/iptables/iptables.releng
@ -24,8 +24,8 @@
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.126.41  --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.126.241  --dport 5666 -j ACCEPT
+-A INPUT -p tcp -m tcp -s 10.3.163.10  --dport 5666 -j ACCEPT
+-A INPUT -p tcp -m tcp -s 10.3.166.10  --dport 5666 -j ACCEPT

 # if the blocked_ips is defined - drop them
 {% if blocked_ips is defined %}
@ -43,10 +43,8 @@
 -A INPUT -p tcp -m tcp  --dport 22 -j ACCEPT 

 # Allow all netapp traffic
-A INPUT -p udp -m udp -s 10.5.88.36 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.88.36 -j ACCEPT
-A INPUT -p udp -m udp -s 10.5.88.41 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.88.41 -j ACCEPT
+-A INPUT -p udp -m udp -s 10.3.162.0/24 -j ACCEPT
+

 # Custom Services

--- a/roles/rsyncd/files/rsyncd.conf.default
+++ b/roles/rsyncd/files/rsyncd.conf.default
@ -13,4 +13,4 @@ path = /var/log
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39
+hosts allow = 192.168.1.59 10.3.163.39
--- a/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org
+++ b/roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org
@ -13,7 +13,7 @@ path = /var/log
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.13 192.168.1.59
+hosts allow = 10.3.163.39 192.168.1.59

 [people-repos]
 comment = repos.fedorapeople.org content
--- a/roles/rsyncd/files/rsyncd.conf.sundries
+++ b/roles/rsyncd/files/rsyncd.conf.sundries
@ -12,7 +12,7 @@ path = /var/log
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39
+hosts allow = 10.3.163.39 192.168.1.59

 [docs-old]
 comment = Old Docs Site
@ -20,7 +20,7 @@ path = /srv/web/docs-old
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [docs]
 comment = Docs Site
@ -28,7 +28,7 @@ path = /srv/docs
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [membership-map]
 comment = Ambassadors Membership Map
@ -36,7 +36,7 @@ path = /srv/web/membership-map
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [review-stats]
 comment = Package Review Stats
@ -44,7 +44,7 @@ path = /srv/web/review-stats
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [gather-easyfix]
 comment = Gather easyfix available in Fedora
@ -52,7 +52,7 @@ path = /srv/web/easyfix
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [fedoraproject.org]
 comment = fedoraproject.org
@ -60,7 +60,7 @@ path = /srv/web/fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [spins.fedoraproject.org]
 comment = spins.fedoraproject.org
@ -68,7 +68,7 @@ path = /srv/web/spins.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [talk.fedoraproject.org]
 comment = talk.fedoraproject.org
@ -76,7 +76,7 @@ path = /srv/web/talk.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [start.fedoraproject.org]
 comment = start.fedoraproject.org
@ -84,7 +84,7 @@ path = /srv/web/start.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [mirrors.fedoraproject.org]
 comment = mirrors.fedoraproject.org
@ -92,7 +92,7 @@ path = /srv/web/mirrors.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [fedoracommunity.org]
 comment = fedoracommunity.org
@ -100,7 +100,7 @@ path = /srv/web/fedoracommunity.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [fudcon.fedoraproject.org]
 comment = fudcon.fedoraproject.org
@ -108,7 +108,7 @@ path = /srv/web/fudcon.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [flocktofedora.org]
 comment = flocktofedora.org
@ -116,7 +116,7 @@ path = /srv/web/flocktofedora.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [getfedora.org]
 comment = getfedora.org
@ -124,7 +124,7 @@ path = /srv/websites/getfedora.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [labs.fedoraproject.org]
 comment = labs.fedoraproject.org
@ -132,7 +132,7 @@ path = /srv/web/labs.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [budget.fedoraproject.org]
 comment = budget.fedoraproject.org
@ -140,7 +140,7 @@ path = /srv/web/budget.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [arm.fedoraproject.org]
 comment = arm.fedoraproject.org
@ -148,7 +148,7 @@ path = /srv/web/arm.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [iot.fedoraproject.org]
 comment = iot.fedoraproject.org
@ -156,7 +156,7 @@ path = /srv/web/iot.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [developer.fedoraproject.org]
 comment = developer.fedoraproject.org
@ -164,7 +164,7 @@ path = /srv/web/developer.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [codecs.fedoraproject.org]
 comment = codecs.fedoraproject.org
@ -172,7 +172,7 @@ path = /srv/web/codecs.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [alt.fedoraproject.org]
 comment = alt.fedoraproject.org
@ -180,7 +180,7 @@ path = /srv/web/alt.fedoraproject.org
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [fmw]
 comment = fmw
@ -188,7 +188,7 @@ path = /srv/web/fmw
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [registry-signatures]
 comment = registry-signatures
@ -196,7 +196,7 @@ path = /srv/web/registry-signatures
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [registry-index]
 comment = registry-index
@ -204,7 +204,7 @@ path = /var/lib/reg-server/static/
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [regindexer]
 comment = regindexer
@ -212,7 +212,7 @@ path = /var/lib/regindexer/
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0

 [docs-redirects]
 comment = Docs Site Redirects
@ -220,4 +220,4 @@ path = /srv/web/docs-redirects
 uid = root
 gid = root
 read only = yes
-hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0
+hosts allow = 10.3.160.0/255.255.224.0
--- a/roles/rsyncd/templates/rsyncd.conf.download.j2
+++ b/roles/rsyncd/templates/rsyncd.conf.download.j2
@ -172,5 +172,5 @@ refuse options = checksum
       uid = root
       gid = root
       read only = yes
-       hosts allow = 10.5.126.13
+       hosts allow = 10.3.163.39
       list = no