Most of our vpn hosts are on a 192.168.1.0/24 network.
However we have a small number on a 'less secure' 'less trusted' subnet:
192.168.100.0/24. This change adds in logic to:
* on log01, allow rsyslog from 192.168.100.x hosts
* on ipa servers, allow ipa ports for 192.168.100.x hosts
* then reject everything else.
This will make sure 192.168.100.x hosts can only hit ssh and the two
above items, otherwise all vpn hosts will reject their traffic. This
should add a bit of security to having those hosts on the vpn.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Note that this will not yet work, it needs the RHIT firewall between
vlans opened on these ports first, but after that this is needed to
allow them to use those ports.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In IAD2 the prod and stg hosts are on different VLANs, so we thought we
didn't need this. However, we are still seeing some odd mixing of prod
and stg fedmsgs, so likely some fedmsg port has become enabled accross
all the VLANS. In any case this should do no harm, it just adds 2
subnets on all prod hosts to block staging, except for a small number of
staging_friendly hosts (in the staging_friendly ansible group).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Moving the local to s390x cache from 07 (a zvm instance) to 24 (a kvm
instance) needs to adjust the firewalls for those builders to know that
they can use port 80 on the new one. After that we will update dns to
point it to the new location.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Actually it's only the varnish caching host that needs to talk to them
at this point, but might as well allow it on any of them in case we
switch how the caching works there or the like.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We no longer need this as it was put in place when taskotron was going
to run user provided tests. Since the only left in 'qa' is openqa and it
only tests fedora images/updates and is still also in it's own vlan, we
no longer need to reject things in qa from the rest of their same vlan.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Since we no longer have any machines in phx2, I have tried to remove
them from ansible. Note that there are still some places where we need
to remove them still: nagios, dhcp, named were not touched, and in cases
where it wasn't pretty clear what a conditional was doing I left it to
be cleaned up later.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to add this for s390x machines so they can talk to and be
managed by iad2 stuff. phx2 builders should not be affected, and
s390 builders only get the new rules added, so they should keep working
with phx2. We will need to clean this up after the move and remove all
the phx2 stuff.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Put all the rules in the kojibuilder file so we can just nuke the phx2
part later and not have to move groups around, etc.
Also, nuke the old unused bkernel network template.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Since we set this up, @puiterwijk added a nice `nat_rules` thing
that lets us add NAT rules without forking the iptables template,
and I just set up the `openqa_tap_iface` variable to avoid the
stupid thing where I hardcoded all the possible interface names
for different arches. So let's use those two together FOR GREAT
JUSTICE! Or possibly just to break everything, you know, we'll
find out shortly.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
In ansible 2.8 the - character isn't supposed to be valid in group names.
While we could override this, might has well just bite the bullet and change it.
So, just switch all group names to use _ instead of -
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
