--- manifests/servergroups/proxy.pp | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -741,7 +741,8 @@ class proxy { # Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = [] - $custom = [] + $custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT', + '-A INPUT -p tcp -m tcp --sport 80 -j DROP']
iptables { "/etc/sysconfig/iptables": content => template("system/iptables-template.conf.erb"),
On 08/24/2009 03:08 PM, Mike McGrath wrote:
manifests/servergroups/proxy.pp | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -741,7 +741,8 @@ class proxy { # Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = []
- $custom = []
$custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
'-A INPUT -p tcp -m tcp --sport 80 -j DROP']iptables { "/etc/sysconfig/iptables": content => template("system/iptables-template.conf.erb"),
+1
-Toshio
On Mon, Aug 24, 2009 at 4:08 PM, Mike McGrathmmcgrath@redhat.com wrote:
manifests/servergroups/proxy.pp | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -741,7 +741,8 @@ class proxy { # Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = []
- $custom = []
- $custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
- '-A INPUT -p tcp -m tcp --sport 80 -j DROP']
iptables { "/etc/sysconfig/iptables": content => template("system/iptables-template.conf.erb"), --
+1 for the meantime.
On Monday 24 August 2009 05:08:37 pm Mike McGrath wrote:
manifests/servergroups/proxy.pp | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -741,7 +741,8 @@ class proxy { # Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = []
- $custom = []
$custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
'-A INPUT -p tcp -m tcp --sport 80 -j DROP']iptables { "/etc/sysconfig/iptables": content => template("system/iptables-template.conf.erb"),
+1
Dennis
On Mon, 24 Aug 2009, Dennis Gilmore wrote:
On Monday 24 August 2009 05:08:37 pm Mike McGrath wrote:
manifests/servergroups/proxy.pp | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644 --- a/manifests/servergroups/proxy.pp +++ b/manifests/servergroups/proxy.pp @@ -741,7 +741,8 @@ class proxy { # Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = []
- $custom = []
$custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
'-A INPUT -p tcp -m tcp --sport 80 -j DROP']iptables { "/etc/sysconfig/iptables": content => template("system/iptables-template.conf.erb"),
+1
Just so people are aware at this rather strange change. We have an explicit reject at the bottom of our iptables scripts. We're seeing some LAST_ACK's getting denied by the proxy servers iptables rules, generating this traffic.
The network team requested we get rid of these ICMP messages so I have the iptables rules explicitly drop the messages before they get to the reject rule. This is a temporary change.
-Mike
infrastructure@lists.fedoraproject.org
-
Dennis Gilmore -
Mike McGrath -
Stephen John Smoogen -
Toshio Kuratomi