Creating Web & Network Services

Most network access to the system should be either through apache or ssh - for instance Java webapps running on tomcat should use an apache proxy rather than opening port 8080. Some services will require their own port, however access should be limited as much as possible for this by using the firewall.

For services that require their own port:

1. Create a secgroup

nova secgroup-create nrpe
nova secgroup-add-rule nrpe tcp 5666 5666 0.0.0.0/0

2. Open the firewall in the service's Puppet module (http/s and ssh are open by default)

firewall {"200 NRPE from ${sourceip}":
    port   => 5666,
    proto  => tcp,
    source => $sourceip,
    action => accept,
}

For an example that uses this see modules/monitoring, which takes a list of IP addresses to allow through the firewall as a class argument.