fw-rules 6.07 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#
# Firewall rule template.
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
#	WINDOWS		Rules specific to WinXP, not a real style right now
#
# Variables expanded by rc.firewall script:
#
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve (assuming an earlier
# rule exists to allow DNS traffic to/from EMULAB_NS).
#
# Remaining questions:
#
# 1. Anti-spoofing?  The real firewall will do spoofing checks, should
#    we do them also?  It won't protect the rest of the control net from
#    us unless we put in specific, per-firewalled-host rules.
#
# 2. How much should we protect the firewall itself?  We disallow complete
#    access from inside.  From outside, we treat the firewall pretty much
#    like a firewalled node, excpet that we always allow infrastructure
#    services (e.g. NFS).
#
# 3. Watch out for VLAN tagged packets.  We don't want to process them
#    when they come in off the phys interface, we want to process them
#    when they have been untagged.
#

# Let through anything
allow all from any to any			# 65534: OPEN

Mike Hibler's avatar
Mike Hibler committed
41
42
43
44
45
46
# match existing dynamic rules first (rule 1 is used as a temp rule)
check-state					# 2: BASIC,CLOSED,ELABINELAB

# XXX use ssh from boss to remove a tmp rule allowing all traffic
# this is necessary to allow the ssh to complete!
allow tcp from me to boss established		# 3: ELABINELAB
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# Can talk to myself
allow all from me to me				# 10: BASIC,CLOSED,ELABINELAB

# But no one on the inside can talk to me or other experiment nodes
deny all from any to me via vlan0		# 11: BASIC,CLOSED,ELABINELAB
deny all from any to EMULAB_CNET via vlan0	# 12: BASIC,CLOSED,ELABINELAB

# Let nodes find the gateway
allow mac-type arp				# 13: BASIC,CLOSED,ELABINELAB

# other boilerplate
allow all from any to any frag			# 14: BASIC,CLOSED,ELABINELAB

# Anti-spoofing?

Mike Hibler's avatar
Mike Hibler committed
63
# DNS to NS
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
allow udp from any to EMULAB_NS 53 keep-state	# 50: BASIC,CLOSED,ELABINELAB

#
# By convention, user supplied rules are in the 100-60000 range
# This allows them to override the remaining infrastructure rules.
#

# Standard services for both us and firewalled nodes

# ssh from boss (for reboot, etc.)
allow tcp from boss to any 22 setup keep-state	# 60000: CLOSED
allow tcp from any to any 22 setup keep-state	# 60000: BASIC,ELABINELAB

# NTP to ntp servers
allow ip from any to ntp1,ntp2 123 keep-state	# 60010: BASIC,CLOSED,ELABINELAB

# syslog with ops
allow udp from any 514 to ops 514		# 60020: BASIC,CLOSED

# DANGER WILL ROBINSON!!!

# portmapper (tcp or udp), mountd and NFS with fs
allow ip from any to fs 111 keep-state		# 60030: BASIC,CLOSED
allow udp from any not 0-700 to fs keep-state	# 60031: BASIC,CLOSED
allow udp from any to fs 900 keep-state		# 60032: BASIC,CLOSED
allow udp from any to fs 2049 keep-state	# 60033: BASIC,CLOSED
allow ip from me to fs 111 keep-state		# 60030: ELABINELAB
allow udp from me not 0-700 to fs keep-state	# 60031: ELABINELAB
allow udp from me to fs 900 keep-state		# 60032: ELABINELAB
allow udp from me to fs 2049 keep-state		# 60033: ELABINELAB

# cvsup to boss
allow tcp from any to boss 5999 setup keep-state	# 60040: BASIC,CLOSED

# elvind to ops (unicast TCP and multicast UDP)
allow ip from any to ops 2917 keep-state	# 60050: BASIC,CLOSED
allow ip from me to ops 2917 keep-state		# 60050: ELABINELAB

# slothd to boss
allow udp from any to boss 8509 		# 60060: BASIC,CLOSED
allow udp from me to boss 8509	 		# 60060: ELABINELAB

# Special services

Mike Hibler's avatar
Mike Hibler committed
108
109
110
111
112
# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
allow tcp from any to boss 3069 recv vlan0 setup keep-state	# 60069: ELABINELAB

113
114
115
116
117
118
119
120
121
122
123
# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
allow tcp from any to any 80,443 in not recv vlan0 setup keep-state # 60070: ELABINELAB
allow tcp from any to any 3069 in not recv vlan0 setup keep-state   # 60071: ELABINELAB

# frisbee multicast from boss
allow udp from any to EMULAB_MCADDR			# 60080: BASIC,CLOSED,ELABINELAB
allow udp from boss EMULAB_MCPORT to any EMULAB_MCPORT	# 60081: BASIC,CLOSED,ELABINELAB
allow igmp from any to any				# 60082: BASIC,CLOSED,ELABINELAB

# Ping, IPoD from boss
# should we allow all ICMP?
Mike Hibler's avatar
Mike Hibler committed
124
125
126
allow icmp from any to any			# 60090: BASIC,CLOSED,ELABINELAB
allow icmp from boss to any icmptypes 6,8	# 60090: 
allow icmp from any to boss icmptypes 0		# 60091: 
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

# Windows
# SMB (445) with fs
# SSH (2222) into nodes
# rdesktop (3389) to nodes
# no blaster (135,4444) or slammer (1434) please!
allow tcp from any to fs 445 in via vlan0 setup keep-state # 60100: WINDOWS
allow tcp from any to any 2222 in not recv vlan0 setup keep-state # 60101: WINDOWS
allow tcp from any not 0-1023 to any 3389 in not recv vlan0 setup keep-state # 60102: WINDOWS
deny tcp from any to any 135,4444				  # 60110: WINDOWS
deny udp from any to any 1434					  # 60111: WINDOWS

# Boot time only services

# DHCP requests from, and replies to, inside
# requests are always broadcast, replies may be broadcast or unicast
allow udp from any 68 to 255.255.255.255 67 recv vlan0	# 61000: BASIC,CLOSED,ELABINELAB
allow udp from any 67 to any 68 in not recv vlan0	# 61001: BASIC,CLOSED,ELABINELAB

# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
# so we have to open wide
allow udp from any to boss,ops 69 keep-state # 61010: BASIC,CLOSED,ELABINELAB
allow udp from boss,ops not 0-1023 to any not 0-1023 keep-state #61011:  BASIC,CLOSED,ELABINELAB

# bootinfo and TMCC (udp or tcp) with boss
allow udp from any to boss 6969 keep-state	# 61020: BASIC,CLOSED,ELABINELAB
allow ip from any to boss 7777 keep-state	# 61021: BASIC,CLOSED,ELABINELAB

# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any			# 65534: BASIC,CLOSED,ELABINELAB