From c023e89f645fdb2d7cd1c50862261658601c444b Mon Sep 17 00:00:00 2001
From: Matthew Treinish <mtreinish@kortar.org>
Date: Tue, 27 Sep 2016 18:04:23 -0400
Subject: [PATCH] Temporarily block port 80 and port 8080 on firehose

We're able to pretty reliably crash firehose with multiple websocket
connections at once. So to prevent us from DOS ourselves lets block off
the websocket ports for now. We can revert this when we have a remedy
in place.

Change-Id: I909ad4b160a152ae9b909a9e9a1e5d63afa39345
---
 manifests/site.pp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 3797cbab47..7b919c5665 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -501,7 +501,10 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
 # Node-OS: xenial
 node /^firehose\d+\.openstack\.org$/ {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 25, 80, 1883, 8080, 8883],
+    # NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
+    # connections seem to crash mosquitto. Once this is fixed we should add
+    # them back
+    iptables_public_tcp_ports => [22, 25, 1883, 8883],
     sysadmins                 => hiera('sysadmins', []),
     manage_exim               => false,
   }