GitLab

One addition: allow frisbee client reports through to boss/subboss.

 * If firewall setup fails, don't fail completely open! Instead all full
   access to/from the firewall, but block all access to/from inside nodes.
 * Sort the rules by rule number so that user added rules get put in the
   correct place.
 * Fix the rules template for iptables so that user rules get inserted
   into an appropriate location.
 * Fix a bug in the anti-spoofing rules that would prevent any access from
   outside to the inside nodes.

rules. Need another approach.

are getting attacked again. I need to switch them all to closed
at some point.

hosts, since we are not using a prerouting rule like we do for XEN
containers. Note that I am using the dom0 ules rules on openvz
physical hosts, but might have to split it out if I get any more
special cases like this.

then 10 connections from the same source in the last 100 seconds. Note
this is just to the physical host itself, it does not affect traffic
to the containers.

to allow ssh from ops.emulab.net.

names.

aliases on the virtual node network. Allows these though too.

containers.

Firewall needed to be taught about the vnode control net (172.16.0.0).
Basic stuff works now. Haven't tested everything.

Unrelated to this commit, the Linux firewall seems to be broken.
No traffic flows between the inside and outside even in an "open"
configuration. Needs investigation.

This commit is intended to makes the license status of Emulab and
ProtoGENI source files more clear.  It replaces license symbols like
"EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
blocks that contain actual license statements.

This change was driven by the fact that today, most people acquire and
track Emulab and ProtoGENI sources via git.

Before the Emulab source code was kept in git, the Flux Research Group
at the University of Utah would roll distributions by making tar
files.  As part of that process, the Flux Group would replace the
license symbols in the source files with actual license statements.

When the Flux Group moved to git, people outside of the group started
to see the source files with the "unexpanded" symbols.  This meant
that people acquired source files without actual license statements in
them.  All the relevant files had Utah *copyright* statements in them,
but without the expanded *license* statements, the licensing status of
the source files was unclear.

This commit is intended to clear up that confusion.

Most Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the Affero GNU General Public License, version 3
(AGPLv3).

Most Utah-copyrighted files related to ProtoGENI are distributed under
the terms of the GENI Public License, which is a BSD-like open-source
license.

Some Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the GNU Lesser General Public License, version 2.1
(LGPL).

Since the default FORWARD policy is to DROP, only send packets to the
INSIDE chain if:

A) they come in on the vlan interface and
B) they have src IPs in the control net (or brodcast IP)

Packets that match the first but not the second will fall through and
be dropped.

Made the following changes to the clientside code to support Linux
firewalls:

- Made os_fwconfig_line() actually do something.
- getfwconfig() adds an 'IPS' hash to the fwinfo hash.  This contains
  the IP address for each host, much like how the 'MACS' hash contains
  the MAC address for each host.  This is needed because ebtables (which
  is needed for ARP proxying) doesn't resolve hostnames.

Rules are stored in firewall/iptables-fw-rules.  Syntax is similar to
fw-rules, but without the rule number (since iptables doesn't use rule
numbers).  These should be equivalent to our ipfw-based rules, but I
haven't tested every case yet to confirm this.  I'm sure some changes
will be necessary.

Basically, only myboss needs to talk to the outside after the initial setup
(which is done with the firewall open).

Firewalls now work with nodes which require a subboss. Had to introduce new
firewall rules which skipped around the checks that no packets to/from
node control net IPs should pass through the firewall, if the IP in question
belongs to a subboss (since subboss is on the node control network). It
actually checks for all Emulab servers (boss, ops, fs or any subboss),
so the code should work for an Emulab install which has a non-segmented
control network in which all servers were in the same subnet as the nodes.

In addition to the new rules, we also had to pass in additional information
via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on
the node control network. We use this to establish ARP entries on the
inside network so that nodes can find the servers. Since the existing
client-side firewall code in libsetup.pm would blow up if it got a line
that it didn't recognize, I had to bump the tmcd version number and add
some conditional code to tmcd.c:dofwinfo() to not return the extra info for
old versions.

Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS
that are used in the new rules. Fixed the support scripts in firewall/
to properly initialize these variables.

IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces
table to find their IPs and MAC addresses. By default, we do not create
such interface table entries for boss/ops/fs. We have them at Utah for
other reasons. These entries are only needed if you have a non-segmented
control network (or a subboss) and you want to firewall such nodes.
The script to initialize the firewall variables (initfwvars.pl) will
print out a warning for configurations that are affected and don't have
the entries.

More tweaks for frisbee. Allow TCP-based NFS.

Support for frisbee master server and subbosses.
The latter is untested.

way forward for my life.

as well as a little more secure.  Haven't done much testing beyond making
sure all configs boot and work in normal mode, and did a couple of port
scans in and out.  Need to try some arp spoofing to make sure that doesn't
work.

especially w.r.t. ARP handling.

Work in progress, just want to snapshot it before I do something stupid,
like accidentally delete it.