[Labs-l] Security groups & outside access

Ryan Lane rlane32 at gmail.com
Wed Jun 27 11:49:33 UTC 2012 

Indeed it was. Instances on virt1 couldn't talk to the outside world
due to a improper SNAT rule that was an artifact of our multi-host
network-node attempt.

On Wed, Jun 27, 2012 at 12:47 PM, Ryan Lane <rlane at wikimedia.org> wrote:
> This is a bug, likely due to the multi-host network node changes we
> attempted the other day.
>
> On Wed, Jun 27, 2012 at 2:38 AM, Andrew Bogott <abogott at wikimedia.org> wrote:
>>     I'm moving this discussion from IRC to email in hopes of spanning a few
>> more timezones.
>>
>>     A few people (me included) have noticed that some instances which
>> recently had access to the outside Internet no longer have this access.  For
>> example, my swiss-army-instance 'utils-abogott' used to chat with freenode
>> and can no longer.  The same change in access has happened to
>> etherpad.wmflabs.org, and presumably many other instances.
>>
>>     I'm assuming this is on purpose, due to a new policy that increases
>> enforcement of security groups.  True?
>>
>>     If yes, I still have two questions:
>>
>> 1)  In the default security group for that project I see this rule: 22, 22,
>> 0.0.0.0/0 which I would take to mean 'ssh allowed to/from anywhere.'  And
>> yet, best I can tell I cannot initiate an ssh connection to anywhere from
>> that system.  Am I making a dumb mistake?
>>
>> 2)  The help page about security groups
>> (https://labsconsole.wikimedia.org/wiki/Help:Security) suggests that
>> security settings cannot be changed for existing instances.  Doesn't that
>> pose quite a serious problem for people who are invested in instances that
>> existed before the (presumed) new security policy?
>>
>> Thanks!
>>
>> -Andrew
>>
>>
>> _______________________________________________
>> Labs-l mailing list
>> Labs-l at lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/labs-l
>>
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l

More information about the Labs-l mailing list