Opened 11 years ago
Closed 11 years ago
#1255 closed defect (fixed)
Peer1 Firewall Configuration
| Reported by: | warmerdam | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
Currently I (and presumably others) are unable to ssh to osgeo1 (www.osgeo.org).
In a set of emails to selected SAC members (at least Frank and Arnulf?) Peer1 has indicated over the last couple days that our firewall hardware failed, and was replaced. The email thread had a title like:
[peer1.com #1358065] [5777727][1278743 :: osgeo.org] Peer 1 Monitoring Alert
It seems there was no record (!) of our old firewall rules, and so the following rules were put in place:
set policy id 1 from "Untrust" to "Trust" "Peer1 Support" "66.223.95.240/28-Net" "ANY" permit set policy id 1 set policy id 0 from "Trust" to "Untrust" "66.223.95.240/28-Net" "Any" "ANY" permit set policy id 0 set policy id 2 from "Untrust" to "Trust" "NMS" "66.223.95.240/28-Net" "NMS service" permit set policy id 2 set policy id 3 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net" "Tivoli Backup" permit set policy id 3 set policy id 20 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net" "HTTP" permit set policy id 20 set policy id 21 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net" "HTTPS" permit set policy id 21 set policy id 22 from "Untrust" to "Trust" "Any" "66.223.95.240/28-Net" "FTP" permit set policy id 22
I presume this is disallowing ssh traffic.
This firewall configuration may related to #1254 as well.
Change History (2)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Hello Frank,
I have opened up SSH traffic for the firewall. To be specific the following changes have been made
Policy Number: 23 Source: Any Destination: 66.223.95.240/28 Service: SSH Action: Permit
Can you please verify if you have access to your server?
Thanks and Best Regards,
Shuji Miyamoto Network Systems Engineer PEER 1 Hosting NOC
... /me confirms access.
I have sent the following email to Peer1 support a couple minutes ago.
""" Sam,
I am not familiar with the syntax of the firewall policies above. What I have just realized is that I (we) are no longer able to ssh into this box. In the past the box was accepting ssh connections from anywhere in the world for those with accounts. We need this to administer the box.
PRIORITY NEED: Adjust firewall so we can ssh to the box!
We are also seeing odd behaviors related to http virtual hosts being remapped, but I don't know if that might be related to changes in the firewall or not.
To be honest I didn't know we had some sort of hardware firewall.
Best regards, Frank """