Task #3013
Story #3010: Create a VPN between the production CNs
Firewall change: UNM (7612 and 7632)
100%
Description
Allow UCSB and ORC machines to communicate to UNM via ports 7612 and 7632.
+Development+ cn-dev-2.dataone.org
* Connect from cn-dev.dataone.org on port 7612
** @sudo ufw allow to 129.24.0.48 port 7612 from 128.111.36.71@
* Connect from cn-dev-3.dataone.org on port 7632
** @sudo ufw allow to 129.24.0.48 port 7632 from 160.36.13.153@
+Sandbox+ cn-sandbox-unm-1.dataone.org
* Connect from cn-sandbox-ucsb-1.dataone.org on port 7612
** @sudo ufw allow to 64.106.40.7 port 7612 from 128.111.36.77@
* Connect from cn-sandbox-orc-1.dataone.org on port 7632
** @sudo ufw allow to 64.106.40.7 port 7632 from 160.36.13.152@
+Production+ cn-unm-1.dataone.org
* Connect from cn-ucsb-1.dataone.org on port 7612
** @sudo ufw allow to 64.106.40.6 port 7612 from 128.111.36.80@
* Connect from cn-orc-1.dataone.org on port 7632
** @sudo ufw allow to 64.106.40.6 port 7632 from 160.36.13.150@
Related issues
History
#1 Updated by Dave Vieglais over 12 years ago
- Assignee set to Dave Vieglais
#2 Updated by Andrew Pippin over 12 years ago
- Milestone changed from CCI-1.0.0 to CCI-1.0.3
Moving to version 1.0.3.
#3 Updated by Andrew Pippin over 12 years ago
Also need to make sure cn-dev-2 (129.24.0.48) is open.
#4 Updated by Dave Vieglais over 12 years ago
There is no institutional firewall in front of 129.24.0.48. Only IPTables (via ufw) will need to be updated to allow access to the required ports. ufw rules should be configured in the os-core buildout.
#5 Updated by Andrew Pippin over 12 years ago
Thanks, Dave.
#6 Updated by Andrew Pippin over 12 years ago
- Subject changed from Firewall change: UNM (7613 and 7623) to Firewall change: UNM (7612 and 7632)
Updated title and description to reflect change in node id sequence.
#7 Updated by Andrew Pippin over 12 years ago
Dave, would it be possible to modify the firewall on cn-dev-unm-1 now, before the buildout?
sudo ufw allow to any port 7612 from 128.111.36.78
sudo ufw allow to any port 7632 from 160.36.13.153
This will allow me to test the connections.
#8 Updated by Dave Vieglais over 12 years ago
- Status changed from New to In Progress
Fire wall rules should be in place at an institutional level.
Need to test and verify before closing this ticket.
#9 Updated by Andrew Pippin over 12 years ago
I cannot connect via telnet to:
cn-dev-ucsb-1 → cn-dev-unm-1.dataone.org:7612
cn-dev-3 → cn-dev-unm-1.dataone.org:7632
Has the host firewall been updated yet?
#10 Updated by Andrew Pippin over 12 years ago
Test:
Server: @nc -lk 76xx@
Client: @echo "ping" | nc cn-dev-2.dataone.org 76xx@
Successful from cn-dev-3 on port 7632.
Unsuccessful from cn-dev on port 7612.
Note - it's also (correctly) unsuccessful from cn-dev-3 on port 7612 and cn-dev on port 7632.
#11 Updated by Andrew Pippin over 12 years ago
Update description.
#12 Updated by Dave Vieglais over 12 years ago
- Status changed from In Progress to Closed
These rules are in place but may be revoked as it appears the openvpn approach may not be viable.
#13 Updated by Dave Vieglais about 12 years ago
- Target version deleted (
Sprint-2012.39-Block.5.4)
