Can you please add the following flows (etl nodes->readonly db) ? Staging: 10.22.75.25 -> 10.22.70.92:3306 10.22.75.26 -> 10.22.70.92:3306 Production: 10.22.75.28 -> 10.22.27.116:3306 10.22.75.29 -> 10.22.27.116:3306

Please could we also have a dump of all of the flow configs for stage and prod please? It would just be good to vet them to ensure we're not missing anything else - thanks :-)

The security policies you asked for have been added. (sorry for the delay, I had an "energetic" meeting I had to be in, and could not multi-task) Please let me know if there any problems? Thanks. From zone: private, To zone: db Source addresses: treeherder-etl2.stage: 10.22.75.26/32 treeherder-etl1.stage: 10.22.75.25/32 treeherder-rabbitmq1.stage: 10.22.75.31/32 treeherderadm: 10.22.75.150/32 Destination addresses: treeherder-stage-ro-vip: 10.22.70.92/32 treeherder-stage-rw-vip: 10.22.70.42/32 Application: mysql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3306-3306] ---------------------------------------------- From zone: private, To zone: metrics Source addresses: treeherder-etl2: 10.22.75.29/32 treeherder-etl1: 10.22.75.28/32 treeherder-rabbitmq1: 10.22.75.19/32 treeherderadm: 10.22.75.150/32 Destination addresses: treeherder-ro-vip: 10.22.27.116/32 treeherder-rw-vip: 10.22.27.117/32 Application: mysql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3306-3306]

As for comment #1 -- That is a non-trivial request. Before spending, I don't know, a couple hours figuring that out through via the firewall, is it really needed? It may be the easiest way to get that information is querying netops bugs that mention treeherder. Every request we've received has been completed, so that would be a complete list. That said, I'm not sure that should fall on to our plate. You can do that work as well as I can.

(In reply to Dave Curado :dcurado from comment #3) > Before spending, I don't know, a couple hours figuring that out > through via the firewall, is it really needed? I was just after a copy/paste of whatever configuration file I thought was checked into some private IT repo that managed these flows. If that's not how it works, then no worries.

Ah, I see. Yes, if it was that easy, that would be great. Unfortunately it's not. We translate the bugs we get into firewall syntax. If this gets to be a serious issue, please re-open this bug, and I'll try to get a listing of all the security policies. I hope that sounds reasonable. Thanks!

Yeah that's absolutely fine - I don't expect you to spend hours doing that. Unfortunately everything's (understandably) a bit of a black box to those outside of it/ops, so it's hard to know how much work a request is.

Thank you for the new flows :-)