#1255: Peer1 Firewall Configuration
---------------------------+------------------------------------------------
Reporter: warmerdam | Owner: sac@…
Type: defect | Status: new
Priority: major | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
Currently I (and presumably others) are unable to ssh to osgeo1
(www.osgeo.org).
In a set of emails to selected SAC members (at least Frank and Arnulf?)
Peer1 has indicated over the last couple days that our firewall hardware
failed, and was replaced. The email thread had a title like:
{{{
[peer1.com #1358065] [5777727][1278743 :: osgeo.org] Peer 1 Monitoring
Alert
}}}
It seems there was no record (!) of our old firewall rules, and so the
following rules were put in place:
{{{
set policy id 1 from "Untrust" to "Trust" "Peer1 Support"
"66.223.95.240/28-Net" "ANY" permit
set policy id 1
set policy id 0 from "Trust" to "Untrust" "66.223.95.240/28-Net" "Any"
"ANY" permit
set policy id 0
set policy id 2 from "Untrust" to "Trust" "NMS" "66.223.95.240/28-Net"
"NMS service" permit
set policy id 2
set policy id 3 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net"
"Tivoli Backup" permit
set policy id 3
set policy id 20 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net"
"HTTP" permit
set policy id 20
set policy id 21 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net"
"HTTPS" permit
set policy id 21
set policy id 22 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net"
"FTP" permit
set policy id 22
}}}
I presume this is disallowing ssh traffic.
This firewall configuration may related to #1254 as well.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1255>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1255: Peer1 Firewall Configuration
---------------------------+------------------------------------------------
Reporter: warmerdam | Owner: sac@…
Type: defect | Status: new
Priority: major | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
Comment(by warmerdam):
I have sent the following email to Peer1 support a couple minutes ago.
"""
Sam,
I am not familiar with the syntax of the firewall policies above. What I
have just realized is that I (we) are no longer able to ssh into this box.
In the past the box was accepting ssh connections from anywhere in the
world for those with accounts. We need this to administer the box.
PRIORITY NEED: Adjust firewall so we can ssh to the box!
We are also seeing odd behaviors related to http virtual hosts being
remapped, but I don't know if that might be related to changes in the
firewall or not.
To be honest I didn't know we had some sort of hardware firewall.
Best regards,
Frank
"""
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1255#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1255: Peer1 Firewall Configuration
---------------------------+------------------------------------------------
Reporter: warmerdam | Owner: sac@…
Type: defect | Status: closed
Priority: major | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+------------------------------------------------
Changes (by warmerdam):
* status: new => closed
* resolution: => fixed
Comment:
Hello Frank,
I have opened up SSH traffic for the firewall. To be specific the
following changes have been made
Policy Number: 23
Source: Any
Destination: 66.223.95.240/28
Service: SSH
Action: Permit
Can you please verify if you have access to your server?
Thanks and Best Regards,
Shuji Miyamoto
Network Systems Engineer
PEER 1 Hosting NOC
...
/me confirms access.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1255#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.