Commit 19c93075 authored by Mike Hibler's avatar Mike Hibler


parent 3ce5f792
......@@ -38,6 +38,12 @@ infrastructure or Internet hosts in general) must pass through the firewall
node. The firewall is setup as a filtering layer2 bridge using IPFW2
on FreeBSD and can be configured in a number
of ways to block or allow certain types of traffic.
When a firewalled experiment is swapped in, the firewall is setup and
activated before any experiment nodes are allowed to setup.
When a firewalled experiment is swapped out, extra precautions are taken
to ensure that the nodes are decontaminated before the firewall is taken
<a NAME="Use"></a><h2>Use</h2>
......@@ -57,6 +63,7 @@ and should not be used.
In the future, there may be additional types for different firewall
implementations (e.g., Linux with ipchains).
The "style" of the firewall is one of:
<a NAME="Styles"></a>
<li><code>open</code>: A completely open firewall allowing all traffic.
This gives you a hook for setting up custom firewall rules (below).
......@@ -13,7 +13,7 @@
<li> <a href="#Use">Use</a>
<li> <a href="#Limitations">Current Limitations</a>
<li> <a href="#KnownBugs">Known Bugs</a>
<li> <a href="#Example">A Complete Example</a>
<li> <a href="#Examples">A Couple of Examples</a>
......@@ -49,13 +49,112 @@ without sacrificing the features that make Emulab so easy to use.
<a NAME="Use"></a><h2>Use</h2>
In your ns file you can specify a <emph>security level</emph> at which an
experiment should be run. Security levels are specified as colors
(oh, now that is real original!)
with the <code>tb-set-security-level</code> command. Eventually, the
colors will provide different styles of firewalls, potentially in combination
with a per-experiment Emulab environment, to provide increasing levels of
However, currently the colors are only an implicit way of allocating a
firewall of a particular type. Since the firewall is implicitly specified,
there is no way to add additional rules. The current color mappings are:
The default for all experiments. No firewall is allocated.
Hence all nodes are still on the shared control network.
An <a href="docwrapper.php3?docname=firewall.html#Styles">open style</a>
firewall is allocated. This is largely worthless since you cannot add
any rules to the firewall. However, you can use it to gage the performance
impact of placing a firewall node between you experiment and the outside
A <a href="docwrapper.php3?docname=firewall.html#Styles">basic style</a>
firewall is allocated.
A <a href="docwrapper.php3?docname=firewall.html#Styles">closed style</a>
firewall is allocated.
Not currently implemented. This will eventually be an experiment for which
the control network has been completely disabled. The only outside access
allowed will be via the serial console line.
You can explicitly combine a per-experiment Emulab with an "Orange" experiment
to get the highest level of protection we currently offer. It further
restricts access from the experiment to the "real" Emulab infrastructure
(e.g., no NFS allowed to the real "fs" node).
<emph>Please note that this configuration currently takes about 30 minutes
to setup, regardless of the size of the experiment!</emph>
<a NAME="Limitations"></a><h2>Limitations</h2>
See <a href="docwrapper.php3?docname=firewall.html#Limitations">
the firewall Limitations section</a>.
<a NAME="KnownBugs"></a><h2>Known Bugs</h2>
See <a href="docwrapper.php3?docname=firewall.html#KnownBugs">
the firewall Known Bugs section</a>.
<a NAME="Example"></a><h2>A Complete Example</h2>
<a NAME="Examples"></a><h2>A Couple of Examples</h2>
source tb_compat.tcl
set ns [new Simulator]
tb-set-security-level Yellow
set n1 [$ns node]
tb-set-node-os $n1 FBSD-STD
set n2 [$ns node]
tb-set-node-os $n2 RHL-STD
set link [$ns duplex-link $n1 $n2 100Mb 0ms DropTail]
$ns run
is nearly equivalent to
<a href="docwrapper.php3?docname=firewall.html#Example">
the firewall example</a> except that there are no additional firewall
rules to allow <code>traceroute</code>.
To setup a high-security prison for running a
<a href="docname=windows_in_emulab_user.html">Windows XP experiment</a>
you could do:
source tb_compat.tcl
set ns [new Simulator]
tb-elab-in-elab 1
tb-set-security-level Orange
tb-set-inner-elab-eid winxpnodes
$ns run
This will setup a firewalled, experiment-private Emulab in which the
pre-existing <code>winxpnodes</code> experiment will be instantiated.
Here <code>winxpnodes</code> might look like:
# Windows XP experiment.
source tb_compat.tcl
set ns [new Simulator]
set win1 [$ns node]
tb-set-node-os $win1 WINXP-02-11
tb-set-hardware $win1 pc850
set win2 [$ns node]
tb-set-node-os $win2 WINXP-02-11
tb-set-hardware $win2 pc850
set lan [$ns make-lan "$win1 $win2" 100Mb 0ms]
$ns run
See the <a href="elabinelab.php3">''Emulab in Emulab''</a> section for
more details.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment