Extend firewalling doc to talk about restricted ssh (rt#6881)

[mirror/dsa-wiki.git] / input / doc / firewall.mdwn

diff --git a/input/doc/firewall.mdwn b/input/doc/firewall.mdwn
index 5f71914..c56a189 100644 (file)
--- a/input/doc/firewall.mdwn
+++ b/input/doc/firewall.mdwn
@@ -1,5 +1,17 @@
-Third party firewalling debian.org hosts
-========================================
+Firewalling debian.org hosts
+============================
+
+Debian's own firewalling
+------------------------
+
+A number of hosts have incoming ssh connections restricted to some subnets.
+In particular, this includes mirrors, buildds and DSA's gitolite host.  To
+connect to those machines, users can hop through master.debian.org or
+people.debian.org.
+
+
+Third party firewalling
+-----------------------
 
 In Debian we rely on sponsors for providing housing and hosting for all
 of our infrastructure.  As such, we have a lot of our gear spread out
@@ -26,13 +38,17 @@ In these cases we usually ask for the following setup:
   * grnet: 194.177.211.192/27
   * man-da: 82.195.75.64/26
   * sil: 86.59.118.144/28
-  * ubcece: 206.12.19.5.0/24
+  * ubcece: 206.12.19.0/24
+  * ubc: 209.87.16.0/24
   * bytemark: 2001:41c8:1000::/48
   * grnet: 2001:648:2ffc:deb::/64
   * man-da: 2001:41b8:202:deb::/64
   * sil: 2001:858:2:2::/64
   * ubcece: 2607:f8f0:610:4000::/64
+  * ubc: 2607:F8F0:614:1::/64
+* allow all return traffic on tcp/udp/etc.
 
 Extra ports might be required for specific services.
 
-
+---
+Sat, 04 Nov 2017 19:34:24 +0000