Hello, kind folks!
We are making two firewall rule changes on the IC, for which we have prepared two proposals (and submitted one of them for voting).
The first proposal deletes an obsolete firewall rule from the IC. This rule refers to a datacenter that has long since been decommissioned.
The second proposal adds monitoring access to metrics proxy from DFINITY datacenters, to evaluate the health of the metrics proxy service. This service will allow every member of the public to collect telemetry on nodes of the IC.
Sample text of the two proposals follow. We cannot submit both proposals at the same time, because the expected hash of each proposal is influenced by the other, but we can and will submit the first proposal, showing you the text below and, when the first proposal is adopted, update the post below with the text of the second proposal as that happens.
First proposal has been adopted.
Title: Proposal to remove firewall rule
Summary: Removal of obsolete rule
Motivation: We propose to eliminate the firewall rules associated with the previous Internet Computer (IC) monitoring and observability stack that operated on AWS. This stack has been thoroughly replaced with an advanced, on-premise observability system. The new system is distributed across three data centers located in distinct geographic zones, for improved resilience and fault tolerance.
Payload: RemoveFirewallRulesPayload {
scope: ReplicaNodes,
positions: [
2,
],
expected_hash: "CE493BEE2D1F8E7D69793DDD774054A9A46B644404B28135EA691FBAA13BD6C9",
}
Second proposal is now up for voting as well.
Title: Proposal to allow the DFINITY observability stack to scrape internal metrics from the metrics proxy
Summary: We propose allowing the DFINITY observability stack to access the metrics-proxy internal telemetry TCP port 19100.
Motivation: This access is essential for monitoring the performance of the metrics-proxy service within the GuestOS and can be used to identify potential anomalies in the metrics-proxy operation.
For further details, please refer to the forum post available at: https://forum.dfinity.org/t/two-upcoming-firewall-rule-changes-on-the-ic/28222 .
Payload: UpdateFirewallRulesPayload {
scope: ReplicaNodes,
rules: [
FirewallRule {
ipv4_prefixes: [],
ipv6_prefixes: [
"2001:438:fffd:11c::/64",
"2001:470:1:c76::/64",
"2001:4d78:400:10a::/64",
"2001:4d78:40d::/48",
"2001:920:401a:1706::/64",
"2001:920:401a:1708::/64",
"2001:920:401a:1710::/64",
"2401:3f00:1000:22::/64",
"2401:3f00:1000:23::/64",
"2401:3f00:1000:24::/64",
"2600:2c01:21::/64",
"2600:3000:1300:1300::/64",
"2600:3000:6100:200::/64",
"2600:3004:1200:1200::/56",
"2600:3006:1400:1500::/64",
"2600:c02:b002:15::/64",
"2600:c0d:3002:4::/64",
"2602:fb2b::/36",
"2602:ffe4:801:16::/64",
"2602:ffe4:801:17::/64",
"2602:ffe4:801:18::/64",
"2604:1380:4091:3000::/48",
"2604:1380:40e1:4700::/48",
"2604:1380:40f1:1700::/64",
"2604:1380:45d1:bf00::/64",
"2604:1380:45e1:a600::/48",
"2604:1380:45f1:9400::/64",
"2604:1380:4601:6200::/48",
"2604:1380:4641:6100::/48",
"2604:3fc0:2001::/48",
"2604:3fc0:3002::/48",
"2604:6800:258:1::/64",
"2604:7e00:30:3::/64",
"2604:7e00:50::/64",
"2604:b900:4001:76::/64",
"2607:f1d0:10:1::/64",
"2607:f6f0:3004::/48",
"2607:f758:1220::/64",
"2607:f758:c300::/64",
"2607:fb58:9005::/48",
"2607:ff70:3:2::/64",
"2610:190:6000:1::/64",
"2610:190:df01:5::/64",
"2a00:fa0:3::/48",
"2a00:fb01:400:200::/64",
"2a00:fb01:400::/56",
"2a00:fc0:5000:300::/64",
"2a01:138:900a::/48",
"2a01:2a8:a13c:1::/64",
"2a01:2a8:a13d:1::/64",
"2a01:2a8:a13e:1::/64",
"2a02:418:3002:0::/64",
"2a02:41b:300e::/48",
"2a02:800:2:2003::/64",
"2a04:9dc0:0:108::/64",
"2a05:d01c:e2c:a700::/56",
"2a0b:21c0:b002:2::/64",
"2a0f:cd00:0002::/56",
"fd00:2:1:1::/64",
],
ports: [
22,
2497,
4100,
8080,
9090,
9091,
9100,
19100,
19531,
],
action: Allow,
comment: "Firewall rules for all replica nodes",
user: None,
direction: None,
},
],
positions: [
0,
],
expected_hash: "CBA4DEE67ABB939E1964DA027EF27FED74C5C06C48D0E3F50B0999D2323B714A",
}
Do not hesitate to ask questions here!