Jump to content

User:Razzi/firewall audit

From Wikitech

Instructions

for all the removed IPs, check if the host still exist, most of the cases it's just that the host is gone and the ACL never got updated

for the changes of ports, check that the new set at least includes the old one, and isn't too broad

for added IP:

- some of them seem straightforward, new AQS hosts in the AQS group, new puppet masters in the puppet group - some are less straighforward, logstash hosts in the kafka term, I guess it makes sens if it's there but worth checking if it's ok for them to be there

[edit firewall family inet filter analytics-in4 term puppet from destination-address]
+        /* puppetmaster1003 */
+        10.64.16.36/32;
         10.64.16.73/32 { ... }

Ok this is an ip address being added
it's the ip address for puppetmaster1003, looks legit

[edit firewall family inet filter analytics-in4 term puppet from destination-address]
         10.192.0.27/32 { ... }
+        /* puppetmaster2003 */
+        10.192.16.151/32;

also legit

+        /* puppetmaster2002 */
+        10.192.48.66/32;

legit

[edit firewall family inet filter analytics-in4 term apt from destination-address]
!        208.80.153.42/32 { ... }
[edit firewall family inet filter analytics-in4 term webproxy from destination-address]
+        /* install3001 */
+        91.198.174.63/32;
good

+        /* install5001 */
+        103.102.166.13/32;
+        /* install4001 */
+        198.35.26.12/32;
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term tftp from destination-address]
+        /* install3001 */
+        91.198.174.63/32;

ok

+        /* install5001 */
+        103.102.166.13/32;

ok
+        /* install4001 */
+        198.35.26.12/32;
ok

Now some are being removed
         208.80.153.51/32 { ... }
[edit firewall family inet filter analytics-in4 term graphite from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
[edit firewall family inet filter analytics-in4 term statsd from destination-address]
-        /* graphite1001 */
-        10.64.32.155/32;
-        /* graphite2001 */
-        10.192.16.33/32;
yeah these were removed
[edit firewall family inet filter analytics-in4 term mysql-dbstore from]
-       destination-port [ 3311-3318 3320 3350 ];
+       destination-port [ 3311-3320 3350 ];
ok 3319 was added here.
new section 9 I guess
[edit firewall family inet filter analytics-in4 term mysql-sqoop from]
-       destination-port 3311-3318;
+       destination-port 3311-3320;
ok
[edit firewall family inet filter analytics-in4 term ssh from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
[edit firewall family inet filter analytics-in4 term rsync-http-https from destination-address]
-        /* dubnium */
-        208.80.154.13/32;
-        /* aluminium, cobalt */
-        208.80.154.80/31;
some removed hosts

[edit firewall family inet filter analytics-in4 term kafka from destination-address]
+        /* logstash1020 */
+        10.64.0.11/32;
+        /* logstash1007 */
+        10.64.0.37/32;
+        /* logstash1033 */
+        10.64.0.87/32;
+        /* logstash1008 */
+        10.64.0.90/32;
         10.64.0.175/32 { ... }
         
these are good
         
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.0.181/32 { ... }
+        /* logstash1023 */
+        10.64.0.183/32;
+        /* logstash1024 */
+        10.64.0.184/32;
+        /* logstash1026 */
+        10.64.0.197/32;
         10.64.0.200/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.37/32 { ... }
+        /* logstash1021 */
+        10.64.16.41/32;
         10.64.16.99/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.16.99/32 { ... }
+        /* logstash1032 */
+        10.64.16.143/32;
+        /* logstash1027 */
+        10.64.16.169/32;
+        /* logstash1009 */
+        10.64.32.27/32;
         10.64.32.90/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.90/32 { ... }
+        /* logstash1025 */
+        10.64.32.96/32;
+        /* logstash1028 */
+        10.64.32.104/32;
         10.64.32.106/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.106/32 { ... }
+        /* logstash1034 */
+        10.64.32.112/32;
+        /* logstash1022 */
+        10.64.32.127/32;
         10.64.32.159/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.32.160/32 { ... }
+        /* logstash1030 */
+        10.64.48.22/32;
+        /* logstash1031 */
+        10.64.48.25/32;
+        /* kafka-main1004, kafka-main1005 */
+        10.64.48.30/31;
+        /* logstash1035 */
+        10.64.48.60/32;
         10.64.48.117/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.117/32 { ... }
+        /* logstash1029, kafka-jumbo1008 */
+        10.64.48.120/31;
         10.64.48.140/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.64.48.177/32 { ... }
+        /* logstash2033, kafka-main2001 */
+        10.192.0.16/31;
+        /* logstash2004 */
+        10.192.0.111/32;
+        /* logstash2001 */
+        10.192.0.112/32;
+        /* logstash2020 */
+        10.192.0.139/32;
+        /* logstash2023 */
+        10.192.0.153/32;
+        /* logstash2026 */
+        10.192.0.159/32;
         10.192.16.8/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.16.8/32 { ... }
+        /* logstash2034 */
+        10.192.16.30/32;
+        /* logstash2005, logstash2006 */
+        10.192.16.92/31;
+        /* logstash2024 */
+        10.192.16.145/32;
+        /* logstash2025 */
+        10.192.16.146/32;
+        /* logstash2027 */
+        10.192.16.150/32;
+        /* logstash2021 */
+        10.192.16.169/32;
+        /* logstash2035 */
+        10.192.32.28/32;
         10.192.32.136/32 { ... }
[edit firewall family inet filter analytics-in4 term kafka from destination-address]
         10.192.32.136/32 { ... }
+        /* logstash2022 */
+        10.192.32.150/32;
+        /* logstash2002 */
+        10.192.32.180/32;
+        /* logstash2028 */
+        10.192.32.189/32;
+        /* kafka-main2004 */
+        10.192.48.38/32;
+        /* kafka-main2005 */
+        10.192.48.46/32;
+        /* logstash2003 */
+        10.192.48.131/32;
+        /* logstash2030 */
+        10.192.48.136/32;
+        /* logstash2029 */
+        10.192.48.140/32;
+        /* logstash2031 */
+        10.192.48.158/32;
-        /* kafka-main2001 */
-        10.192.0.17/32;
-        /* kafka-jumbo1008 */
-        10.64.48.121/32;
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
+        /* backup1003 */
+        10.64.16.107/32;
+        /* backup1002 */
+        10.64.32.107/32;
         10.64.48.36/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
         10.64.48.36/32 { ... }
+        /* backup2002 */
+        10.192.0.190/32;
+        /* backup2003 */
+        10.192.32.35/32;
         10.192.48.116/32 { ... }
[edit firewall family inet filter analytics-in4 term bacula from destination-address]
-        /* helium */
-        10.64.0.179/32;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
+        /* aqs1010 */
+        10.64.0.40/32;
+        /* aqs1010 */
+        10.64.0.88/32;
         10.64.0.107/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.0.107/32 { ... }
+        /* aqs1010 */
+        10.64.0.120/32;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.16.78/32 { ... }
+        /* aqs1011 */
+        10.64.16.201/32;
+        /* aqs1011 */
+        10.64.16.204/32;
+        /* aqs1011 */
+        10.64.16.206/32;
+        /* aqs1012 */
+        10.64.32.16/32;
+        /* aqs1012 */
+        10.64.32.128/32;
+        /* aqs1013 */
+        10.64.32.136/32;
         10.64.32.138/32 { ... }
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.138/32 { ... }
+        /* aqs1012 */
+        10.64.32.145/32;
+        /* aqs1013 */
+        10.64.32.146/31;
[edit firewall family inet filter analytics-in4 term aqs from destination-address]
         10.64.32.190/32 { ... }
+        /* aqs1014, aqs1015 */
+        10.64.48.62/31;
+        /* aqs1014 */
+        10.64.48.65/32;
+        /* aqs1014 */
+        10.64.48.67/32;
+        /* aqs1015 */
+        10.64.48.68/31;
         10.64.48.119/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.0.17/32 { ... }
+        /* wdqs1006 */
+        10.64.0.109/32;
+        /* wdqs1011 */
+        10.64.0.203/32;
+        /* wdqs1007 */
+        10.64.16.10/32;
+        /* wdqs1009 */
+        10.64.16.15/32;
+        /* wdqs1012 */
+        10.64.16.170/32;
+        /* wdqs1010 */
+        10.64.32.63/32;
+        /* wdqs1013 */
+        10.64.32.105/32;
+        /* wdqs1008 */
+        10.64.48.24/32;
         10.64.48.46/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.64.48.46/32 { ... }
+        /* wdqs2004 */
+        10.192.0.20/32;
         10.192.0.29/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.0.29/32 { ... }
+        /* wdqs2005 */
+        10.192.16.4/32;
+        /* wdqs2007 */
+        10.192.16.156/32;
         10.192.32.148/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.32.148/32 { ... }
+        /* wdqs2008 */
+        10.192.32.194/32;
         10.192.48.65/32 { ... }
[edit firewall family inet filter analytics-in4 term wdqs from destination-address]
         10.192.48.65/32 { ... }
+        /* wdqs2006 */
+        10.192.48.92/32;
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.0.35/32 { ... }
+        /* druid1001 */
+        10.64.5.101/32;
         10.64.16.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.16.172/32 { ... }
+        /* druid1002 */
+        10.64.36.102/32;
         10.64.48.171/32 { ... }
[edit firewall family inet filter analytics-in4 term druid from destination-address]
         10.64.48.227/32 { ... }
+        /* druid1003 */
+        10.64.53.103/32;
[edit firewall family inet filter analytics-in4 term syslog from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term syslog-tls from destination-address]
-        /* lithium */
-        10.64.32.154/32;
[edit firewall family inet filter analytics-in4 term scap from destination-address]
-        /* deploy1001 */
-        10.64.32.16/32;
-        /* deploy2001 */
-        10.192.32.24/32;
[edit firewall family inet filter analytics-in4 term kerberos from destination-address]
-        /* kerberos1001 */
-        10.64.0.182/32;