From 1878e49a6d9674142168e808971f4adc87adc50b Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: May 25 2019 00:31:00 +0000
Subject: Close os machinectl port from external


Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

---

diff --git a/inventory/group_vars/os_proxies b/inventory/group_vars/os_proxies
index 4221d5c..c75d4ce 100644
--- a/inventory/group_vars/os_proxies
+++ b/inventory/group_vars/os_proxies
@@ -13,14 +13,12 @@ tcp_ports: [
     6443,
     # For haproxy status
     8080,
-    # For machinectl api
-    22623,
-    # 9941 is closed generally, is for the inbound fedmsg and is covered in
-    # custom_rules
 ]
 
 custom_rules: [
     # Needed for keepalived
     '-A INPUT -d 224.0.0.0/8 -j ACCEPT',
     '-A INPUT -p vrrp -j ACCEPT',
+    # machinectl api
+    '-A INPUT -p tcp --dport 22623 --src 38.145.48.0/27 -j ACCEPT',
 ]