boss.tmpl 4.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11
# Setup lo0
add pass all from any to any via lo0
add deny all from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
# We do not do ipv6
add deny all from any to ::1
add deny all from ::1 to any

# Natd is optional
%natdrules%

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
# Match existing dynamic rules early
add check-state

# Allow established connections.
add pass tcp from any to any established

# Allow anything out. This subsumes some of the rules below. 
add pass tcp from me to any setup
add pass udp from me to any keep-state

# Allow ssh traffic from anywhere
add pass tcp from any to any 22 setup

# Allow web traffic (http and https)
add pass tcp from any to me 80 setup
add pass tcp from any to me 443 setup

# Allow NTP traffic
add pass udp from any to any ntp keep-state

# Allow DNS queries.
add pass tcp from any to me 53 setup
add pass udp from any to any 53 keep-state

# Old elvind. Can we get rid of this now?
add pass udp from %alltestbed% to me 2917 keep-state
add pass udp from %jailnetwork%  to me 2917 keep-state

# Allow tmcd in, The 8/9 ports are for testing.
add pass udp from any to me 7777 keep-state
add pass tcp from any to me 7777 setup
add pass tcp from any to me 7778 setup
add pass tcp from any to me 7779 setup
add pass tcp from any to me 14447 setup

# Pubsub but only from the local node.
add pass tcp from me to me 16505 setup

# Allow tftp in, but only from emulab networks
# XXX - This is bad, because tftp can open up any UDP port it wants,
# so we have to let trough a whole lot more ports than I'd like.
add pass udp from %alltestbed% to me 69 keep-state
add pass udp from %jailnetwork%  to me 69 keep-state
add pass udp from %alltestbed% 1024-65535 to me 1024-65535 keep-state
add pass udp from %jailnetwork%  1024-65535 to me 1024-65535 keep-state

# For capserver from the control network.
add pass tcp from %publicnetwork% to me 855 setup
add pass tcp from %publicnetwork% 1024-65535 to me 1024-65535 setup
add pass tcp from me 1024-65535 to %publicnetwork% setup

# Allow dhcp/bootp in - we have to allow any source and dst address
add pass udp from any to any bootps keep-state

# Syslog. I thought all syslog went to ops?
add pass udp from %alltestbed% to me syslog keep-state
Leigh Stoller's avatar
Leigh Stoller committed
68
add pass udp from %jailnetwork% to me syslog keep-state
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

# Allow NFS mounts to ops
#
# These few for lockd.
add pass udp from me to ops 111 keep-state
add pass udp from me to ops 4045 keep-state
add pass udp from me to ops 2049-65535 keep-state

# Allow IP fragments through due to the default 8k read/write size
add pass ip from ops to me frag
add pass ip from me to ops frag

# WARNING: This is in the router control set, and allows all udp ports.
# No idea why, there is no comment explaining.
#add pass udp from %alltestbed% to me keep-state

# Lockd again
add pass tcp from me to ops 111 setup
add pass tcp from me to ops 4045 setup
add pass tcp from me to ops 2049 setup

# Kirk has helpfully hardwired mountd to these ports on ops
add pass tcp from me to ops 900 setup
add pass udp from me to ops 900 keep-state

# Allow connections to our XMLRPC SSL server
add pass tcp from any to me 3069 setup

# Bootwhat (bootinfo)
add pass tcp from %alltestbed% to me 6969 setup
add pass tcp from %jailnetwork%  to me 6969 setup
# Outgoing bootinfosend
add pass udp from me 6970 to any 9696 keep-state

# What are these?
#add pass tcp from %alltestbed% to me 6958 setup
#add pass tcp from %jailnetwork%  to me 6958 setup
#add pass tcp from %alltestbed% to me 6999 setup
#add pass tcp from %jailnetwork%  to me 6999 setup

# Allow ping. Well, all icmp. Problem? ipod/apod is an icmp packet (6,6).
add pass icmp from any to any

# Need this for X11 over ssh.
add pass tcp from me to me 6010 setup

# Multicast.
add pass igmp from %multicast% to any
add pass igmp from me to any
# What is this? I see it in my elabinelab from the router.
add pass pim  from %multicast% to any
add pass udp  from any to 224.0.0.0/4 1025-65535 
add pass udp  from me to 224.0.0.0/4

# Frisbee master server (Mike).
add pass tcp from %alltestbed% to me 64494 setup
add pass tcp from %jailnetwork%  to me 64494 setup
# and allow a range for the mserver based uploader
add pass tcp from %controlnetwork% to me 21700-21799 setup
add pass tcp from %jailnetwork%  to me 21700-21799 setup

# Slothd (Kirk)
add pass tcp from %alltestbed% to me 8509 setup
add pass tcp from %jailnetwork%  to me 8509 setup
add pass udp from %alltestbed% to me 8509 keep-state
add pass udp from %jailnetwork%  to me 8509 keep-state

# ssh (tcp?) port proxying (Gary)
add pass tcp from me 4127 to me 4127 setup
add pass tcp from ops to me 4128 setup

# Flash authentication service (Jon)
add pass tcp from any to me 843 setup

# ProtoGENI XMLRPC service (Leigh)
add pass tcp from any to me 12369 setup

%localrules% boss

# Deny everything else
add deny log ip from any to any