On Mon, 24 Aug 2009, Dennis Gilmore wrote:
> On Monday 24 August 2009 05:08:37 pm Mike McGrath wrote:
> > ---
> > manifests/servergroups/proxy.pp | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/manifests/servergroups/proxy.pp
> > b/manifests/servergroups/proxy.pp index bdea7b6..70bbcf4 100644
> > --- a/manifests/servergroups/proxy.pp
> > +++ b/manifests/servergroups/proxy.pp
> > @@ -741,7 +741,8 @@ class proxy {
> > # Firewall Rules, allow HTTP traffic through
> > $tcpPorts = [ 80, 443, 873, 8080 ]
> > $udpPorts = []
> > - $custom = []
> > + $custom = ['-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
> > + '-A INPUT -p tcp -m tcp --sport 80 -j DROP']
> >
> > iptables { "/etc/sysconfig/iptables":
> > content => template("system/iptables-template.conf.erb"),
>
> +1
>
Just so people are aware at this rather strange change. We have an
explicit reject at the bottom of our iptables scripts. We're seeing some
LAST_ACK's getting denied by the proxy servers iptables rules, generating
this traffic.
The network team requested we get rid of these ICMP messages so I have the
iptables rules explicitly drop the messages before they get to the reject
rule. This is a temporary change.
-Mike
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
