1 files changed, 7 insertions, 28 deletions

diff --git a/firewall.yaml b/firewall.yaml
index 800e7390..c468755b 100644
--- a/firewall.yaml
+++ b/firewall.yaml
@@ -235,10 +235,10 @@
     - name: shared-artifact-cache security group
       os_security_group:
         name: shared-artifact-cache
-        description: Allow inbound HTTP, HTTPS and read-only Morph artifact cache access. Allow writable Morph artifact cache access from internal IPs.
+        description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)
         state: present
 
-    - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for cache server web frontend
+    - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP
       os_security_group_rule:
         security_group: shared-artifact-cache
         direction: ingress
@@ -248,7 +248,7 @@
         protocol: tcp
         remote_ip_prefix: 0.0.0.0/0
 
-    - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for cache server web frontend
+    - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP
       os_security_group_rule:
         security_group: shared-artifact-cache
         direction: ingress
@@ -258,38 +258,17 @@
         protocol: tcp
         remote_ip_prefix: 0.0.0.0/0
 
-    - name: shared-artifact-cache security group -- allow incoming TCP on port 8080 for cache server read access
+    # The port number here was chosen arbitrarily.
+    - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH
       os_security_group_rule:
         security_group: shared-artifact-cache
         direction: ingress
-        port_range_min: 8080
-        port_range_max: 8080
+        port_range_min: 22200
+        port_range_max: 22200
         ethertype: IPv4
         protocol: tcp
         remote_ip_prefix: 0.0.0.0/0
 
-    # 8081: 'writable cache server' port. Anyone who can connect
-    # to this port can delete or overwrite cached artifacts.
-    #
-    # FIXME: because the Masons use cache.baserock.org instead of
-    # 192.168.0.16 to access the shared artifact cache, we need to
-    # permit traffic from our public IP range. This provides a
-    # theoritical attack vector from other tenancies, so we should
-    # fix the Masons and remove this rule.
-    - name: shared-artifact-cache security group -- allow incoming internal-only TCP on port 8081 for cache server write access
-      os_security_group_rule:
-        security_group: shared-artifact-cache
-        direction: ingress
-        port_range_min: 8081
-        port_range_max: 8081
-        ethertype: IPv4
-        protocol: tcp
-        remote_ip_prefix: 185.43.218.0/0
-        # It'd be nice to limit access by security group, but it doesn't
-        # seem to actually work. Perhaps because we use external IP to
-        # access instead of internal IP.
-        #remote_group_id: "{{ default_group.sec_group.id }}"
-
     - name: web-server security group
       os_security_group:
         name: web-server