Reasons for Change
The rules currently in place are out of date. In particular they restrict Spread use in the MSR to machines that no longer exist which has caused Spread to eventually lock up if its configuration says those machines should be accessible. Also it would be more robust to express rules in terms of subnets rather then individual machines.
Test Procedure
- I've installed the new set of rules on my desktop machine; it doesn't crash and remains accesible via SSH.
- Log in to glastlnx11 and 06 via SSH from outside the SLAC internal net, e.g., from the visitor's net.
- Ask the MOC and GSSC to send us some trial FASTCopy packages.
- Run the Telemetry Trending web app with the data source set to XML-RPC.
- Run the Telemetry Monitor and the Telemetry Table web apps for PROD.
- Use telnet to try to connect to the FASTCopy, web Trending and web telemetry services from outside of SLAC; these should all be forbidden.
Rollback Procedure
At first we can install the new rules temporarily so that a reboot will reinstate the old rules. In the worst case the machine will go off the network so rebooting will have to be done from the local console. The script that installs the new rules saves the old ones in a restorable format so that in milder cases of malfunction the old rules can be reinstated from an interactive terminal session. Eventually we will make the new rules permanent so that they survive reboots. Note that you need superuser privileges to modify iptables rules.
CCB Jira
Changes:
- Update ISOC.MocTicker.GenFilter, which generates a bash script that
installs the new rules. - Run the bash script on the machine whose rules we wish to change.