Commit 53ed072d authored by Robert Ricci's avatar Robert Ricci
Browse files

Added extensive notes in implemenation of plans

parent acba6e78
......@@ -13,6 +13,8 @@ Plans for the control switch VLANs, and description of which traffic should
***** What to allow
NOTE: ICMP gets to go from anywhere to anywhere
1) External <-> Private
ssh for logging in
http web server
......@@ -60,3 +62,75 @@ Plans for the control switch VLANs, and description of which traffic should
plastic:/q/tftpboot/proj from netdisk
high ports talk to user proxies on plastic
snmp get machine information
***** Implemenation notes:
In practice, we don't get to enter the router configuration in the above
manner. What I've tried to do, then, put fairly restrictive ACLs on the private
and public VLANs, to prevent nastiness from coming in from ANYWHERE. The
control VLAN gets few restrictions (just prevents any non-155.99.132s from
getting out)- the restrictions preventing it from using low ports to the
outside world are done on the external VLAN.
Note that most rules have to be entered symmetrically, like:
permit tcp any to any on port 22
permit tcp any on port 22 to any
This annoyance is exacerbated by the fact than many protocols have to be done
twice, once for udp, and once for tcp. This is ignored in the rules below
Also note that, due to Cisco's funky syntax, to match 155.101.128/20, we enter
155.101.128.0 0.0.15.255
And to match 155.101.132/22, it's
155.101.132.0 0.0.0.3.255
One more note: It may be possible to reduce the number of rules due to the fact
that I was learning about the process as I was doing it....
private ACL:
permit port 22 (ssh) from anywhere to anywhere
permit port 80 (http) from anywhere to anywhere
permit port 443 (https) from anywhere to anywhere
permit port 53 (domains) from anywhere to anywhere
permit port 25 (smtp) from anywhere to anywhere
permit port 123 (ntp) anywhere to anywhere
permit port 69 (tftp) from 155.101.128/24 to 155.101.128/20
permit port 6969 (bootinfo) from 155.101.128/24 to 155.101.128/20
permit port 7777 (tmcd) from 155.101.128/24 to 155.101.128/20
permit NFS ports from 155.101.128/24 to 155.101.128/20
permit NFS ports from 155.101.128/20 to 155.101.128/24
permit icmp from anywhere to anywhere
permit port 67 (bootps) to 155.101.128/24 from 155.101.128/20
permit port 68 (bootpc) to 155.101.128/20 from 155.101.128/24
permit all outgoing UDP packets from 155.101.128/24 (needed for tftp)
deny everything else
public ACL:
permit port 22 (ssh) from anywhere to anywhere
permit port 161 (snmp) from anywhere to anywhere
permit port 25 (smtp) from 155.101.129/24 to anywhere
permit port 123 (ntp) anywhere to anywhere
permit port 53 (domains) from anywhere to anywhere
permit NFS ports from 155.101.129/24 to 155.101.128/20
permit NFS ports from 155.101.128/20 to 155.101.129/24
permit icmp from anywhere to anywhere
permit all tcp ports > 1024 from anywhere to anywhere
permit all udp ports > 1024 from anywhere to anywhere
deny everything else
control ACL: (just prevent IP spoofing)
permit icmp from 155.101.132/22 to any
permit icmp froma any to 155.101.132/22
permit tcp from 155.101.132/22 to any
permit tcp form any to 155.101.132/22
permit udp from 155.101.132/22 to any
permit udp form any to 155.101.132/22
deny everything else
external ACL: (just prevent testbed machines from using low ports, except ssh)
permit port 22 (ssh) from anywhere to anywhere
permit port 161 (snmp) from anywhere to anywhere
deny all tcp ports < 1024 from 155.101.132/22 to any
***** Misc. notes:
NFS needs ports 2049 (nfsd), 4045 (lockd), and 111 (surpc)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment