Opened 11 years ago

Closed 11 years ago

#1255 closed defect (fixed)

Peer1 Firewall Configuration

Reported by: warmerdam Owned by: sac@…
Priority: major Milestone:
Component: SysAdmin Keywords:
Cc:

Description

Currently I (and presumably others) are unable to ssh to osgeo1 (www.osgeo.org).

In a set of emails to selected SAC members (at least Frank and Arnulf?) Peer1 has indicated over the last couple days that our firewall hardware failed, and was replaced. The email thread had a title like:

[peer1.com #1358065] [5777727][1278743 :: osgeo.org] Peer 1 Monitoring Alert

It seems there was no record (!) of our old firewall rules, and so the following rules were put in place:

set policy id 1 from "Untrust" to "Trust"  "Peer1 Support" "66.223.95.240/28-Net" "ANY" permit
set policy id 1
set policy id 0 from "Trust" to "Untrust"  "66.223.95.240/28-Net" "Any" "ANY" permit
set policy id 0
set policy id 2 from "Untrust" to "Trust"  "NMS" "66.223.95.240/28-Net" "NMS service" permit
set policy id 2
set policy id 3 from "Untrust" to "Trust"  "Any" "66.223.95.240/28-Net" "Tivoli Backup" permit
set policy id 3
set policy id 20 from "Untrust" to "Trust"  "Any" "66.223.95.240/28-Net" "HTTP" permit
set policy id 20
set policy id 21 from "Untrust" to "Trust"  "Any" "66.223.95.240/28-Net" "HTTPS" permit
set policy id 21
set policy id 22 from "Untrust" to "Trust"  "Any" "66.223.95.240/28-Net" "FTP" permit
set policy id 22

I presume this is disallowing ssh traffic.

This firewall configuration may related to #1254 as well.

Change History (2)

comment:1 by warmerdam, 11 years ago

I have sent the following email to Peer1 support a couple minutes ago.

""" Sam,

I am not familiar with the syntax of the firewall policies above. What I have just realized is that I (we) are no longer able to ssh into this box. In the past the box was accepting ssh connections from anywhere in the world for those with accounts. We need this to administer the box.

PRIORITY NEED: Adjust firewall so we can ssh to the box!

We are also seeing odd behaviors related to http virtual hosts being remapped, but I don't know if that might be related to changes in the firewall or not.

To be honest I didn't know we had some sort of hardware firewall.

Best regards, Frank """

comment:2 by warmerdam, 11 years ago

Resolution: fixed
Status: newclosed

Hello Frank,

I have opened up SSH traffic for the firewall. To be specific the following changes have been made

Policy Number: 23 Source: Any Destination: 66.223.95.240/28 Service: SSH Action: Permit

Can you please verify if you have access to your server?

Thanks and Best Regards,

Shuji Miyamoto Network Systems Engineer PEER 1 Hosting NOC

... /me confirms access.

Note: See TracTickets for help on using tickets.