fw-rules 15.8 KB
Newer Older
Mike Hibler's avatar
Mike Hibler committed
1 2
#
# EMULAB-COPYRIGHT
3
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
Mike Hibler's avatar
Mike Hibler committed
4 5 6
# All rights reserved.
#

7 8
#
# Firewall rule template.
9
#
10
# The bulk of the line is the body of an IPFW rule, a '#' denoted "comment"
11 12 13
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
14 15 16 17 18 19 20
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
21 22 23 24 25 26 27 28 29
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
30
#
31
# Variables expanded by rc.firewall script that can be used here:
32
#
33
#	EMULAB_GWIP	IP address of gateway
34 35
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
36 37
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
38 39 40
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
41 42
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
43 44 45
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
46 47 48 49 50 51 52
# and "ntp2" as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
53
# There are a few idioms that can be used in rules.  These are dependent
54 55
# on the exact configuration of the bridge and firewall, so be careful
# (see NOTES for details on the implementation and implications):
56
#
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
# "layer2"
#	A packet passing through the bridge.
# "not layer2"
#	A packet from or to the firewall itself.
# "in via vlan0"
#	Coming from the inside network.
# "in not via vlan0"
#	Coming from the outside network.
# "out"
#	Outbound from the firewall.
# "layer2 ... in via vlan0"
#	Traveling from inside to outside through the bridge.
# "layer2 ... in not via vlan0"
#	Traveling from outside to inside through the bridge.
# "from me to any out via vlan0"
#	IP traffic from firewall to the inside network.
# "from me to any out not via vlan0"
#	IP traffic from firewall to the outside network.
# "from any to me in via vlan0"
#	IP traffic to the firewall from inside.
# "from any to me in not via vlan0"
#	IP traffic to the firewall from outside.
79
#
80 81 82 83 84 85 86
# Questions, comments and warnings (refer to the NOTES file for more):
#
# 1. The rules use stateful checking via dynamic rules.  In addition to
#    being subject to DoS attacks, they can wreak havoc if the firewall
#    reboots.  In the case of the latter, all your TCP connections will
#    be toast.  Despite this, dynamic rules allow us to be a little more
#    constraining on what we allow through.
87 88 89
#
# 2. How much should we protect the firewall itself?  We disallow complete
#    access from inside.  From outside, we treat the firewall pretty much
90
#    like a firewalled node, except that we always allow infrastructure
91 92 93 94 95 96
#    services (e.g. NFS).
#
# 3. Watch out for VLAN tagged packets.  We don't want to process them
#    when they come in off the phys interface, we want to process them
#    when they have been untagged.
#
97 98 99 100 101 102

##
## COMMON RULES (2-9)
## These rules apply to all packets
##

103
#
104
# Match existing dynamic rules very early
105
#
106
check-state					# 4: BASIC,CLOSED,ELABINELAB
107

108 109 110 111 112 113 114 115 116 117
#
# Anything that traverses the bridge will appear as layer2.
# Skip the firewall-specific rules for this common case.
#
skipto 80 all from any to any layer2 in		# 9: BASIC,CLOSED,ELABINELAB

##
## FIREWALL SPECIFIC RULES (10-79)
## These rules are for IP packets only.
##
118

119 120 121 122 123
#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
#
deny all from any to me in via vlan0		# 10: BASIC,CLOSED,ELABINELAB
Mike Hibler's avatar
Mike Hibler committed
124

125 126 127
# Can talk to myself.  Does this do anything?
# This appears to be used by elvind?
allow all from me to me				# 11: BASIC,CLOSED,ELABINELAB
128

129 130 131 132 133 134 135 136
#
# XXX early on in Emulab setup boss will ssh in and insert a rule at the
# beginning to allow all traffic.  Later we ssh in again to remove that rule.
# In order for the latter ssh command to complete, we have to make sure that
# an established connection to boss continues to work.
#
allow tcp from me 22 to boss established	# 15: ELABINELAB
allow tcp from boss to me 22 established	# 16: ELABINELAB
137

138
# Standard services
139

140 141
# DNS to NS
allow udp from me to EMULAB_NS 53 keep-state	# 20: BASIC,CLOSED,ELABINELAB
142

143 144 145
# ssh from boss (for reboot, etc.) and others if appropriate
allow tcp from boss to me 22 setup keep-state	# 22: CLOSED,ELABINELAB
allow tcp from any to me 22 setup keep-state	# 22: BASIC
146

147 148
# NTP to ntp servers
allow ip from me to ntp1,ntp2 123 keep-state	# 24: BASIC,CLOSED,ELABINELAB
149

150 151 152 153 154 155
# syslog with ops
allow udp from me 514 to ops 514		# 26: BASIC,CLOSED,ELABINELAB

#
# NFS
# DANGER WILL ROBINSON!!!
156
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
157 158 159 160 161 162
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
allow ip from me to fs 111 keep-state		# 30: BASIC,CLOSED,ELABINELAB
163 164 165
allow ip from me not 0-700 to fs keep-state	# 31: BASIC,CLOSED,ELABINELAB
allow ip from me to fs 900 keep-state		# 32: BASIC,CLOSED,ELABINELAB
allow ip from me to fs 2049 keep-state		# 33: BASIC,CLOSED,ELABINELAB
166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217
allow ip from me to fs frag			# 34: BASIC,CLOSED,ELABINELAB
allow ip from fs to me frag			# 35: BASIC,CLOSED,ELABINELAB

# Special services

# cvsup to boss
allow tcp from me to boss 5999 setup keep-state	# 36: BASIC,CLOSED,ELABINELAB

# elvind to ops (unicast TCP and multicast UDP)
allow ip from me to ops 2917 keep-state		# 38: BASIC,CLOSED,ELABINELAB

# slothd to boss
allow udp from me to boss 8509 			# 40: BASIC,CLOSED,ELABINELAB

# we need to remain engaged in the multicast protocol
# XXX maybe not needed after all
#allow igmp from any to any			# 48: BASIC,CLOSED,ELABINELAB
#allow pim from EMULAB_GWIP to any		# 49: BASIC,CLOSED,ELABINELAB

# Ping, IPoD from boss
allow icmp from boss to me icmptypes 6,8	# 50: BASIC,CLOSED,ELABINELAB
allow icmp from me to boss icmptypes 0		# 51: BASIC,CLOSED,ELABINELAB

#
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
#
# Technically, we don't have to allow these since they will
# happen before the firewall is up.  We allow TMCC for debugging.
#
allow ip from me to boss 7777 keep-state	# 70: BASIC,CLOSED,ELABINELAB

# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any			# 79: BASIC,CLOSED,ELABINELAB


##
## BRIDGE SPECIFIC RULES (80-99 cannot be changed by user, 100 and higher can).
## These rules are for packets passing through the bridge.
##

#
# Disallow non-IP traffic.
#
# In particular, this prevents ARP.
#
deny not mac-type ip				# 80: BASIC,CLOSED,ELABINELAB

#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
218
# the user cannot override this.
219 220 221 222 223 224 225 226 227 228 229 230 231 232
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk!  The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
#  * IGMP and PIM traffic
#  * DHCP replies from boss appear to have come from the gateway
#    (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247
allow ip from EMULAB_GWIP to any in not via vlan0	# 81: CLOSED,ELABINELAB

#
# XXX yuk 2!  In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
skipto 90 ip from EMULAB_SERVERS to any in not via vlan0 # 82: CLOSED,ELABINELAB+SAMENET
skipto 90 ip from any to EMULAB_SERVERS in via vlan0	 # 83: CLOSED,ELABINELAB+SAMENET

#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other. 
#
248 249 250 251 252 253 254 255 256
deny ip from any to EMULAB_CNET in via vlan0		# 84: CLOSED,ELABINELAB
deny ip from EMULAB_CNET to any in not via vlan0	# 85: CLOSED,ELABINELAB

#
# Inside nodes cannot spoof other IP addresses.
#
# Beyond this rule we no longer have to check to make sure that source
# hosts like "boss" and "ops" come in the correct interface.
#
257
deny ip from not 0.0.0.0,255.255.255.255,EMULAB_CNET to any in via vlan0 # 90: BASIC,CLOSED,ELABINELAB
258 259 260 261 262 263

#
# By convention, user supplied rules are in the 100-60000 range
# This allows them to override the remaining infrastructure rules.
#

264 265 266 267 268
#
# Standard services.
#
# Note that for many of these, the ELABINELAB configuration restricts
# the operations to be with only the inner boss/ops/fs (as appropriate)
269 270 271 272
# and NOT with the inner nodes. Note also that the firewall is open while
# the inner servers are being setup (rc.mkelab) so we don't need to allow
# as many services to them; only services that are needed while the elab
# is operational need be allowed.
273 274 275
#

# DNS to NS
276
# Note: elabinelab myops/myfs use myboss for NS
277
allow udp from any to EMULAB_NS 53 keep-state			# 60020: BASIC,CLOSED
278
allow udp from myboss to EMULAB_NS 53 keep-state		# 60020: ELABINELAB
279

280 281 282 283
# ssh from boss (for reboot, etc.) and others if appropriate
allow tcp from boss to any 22 setup keep-state			# 60022: CLOSED
allow tcp from boss to myboss,myops,myfs 22 setup keep-state	# 60022: ELABINELAB
allow tcp from any to any 22 in not via vlan0 setup keep-state	# 60022: BASIC
284 285

# NTP to ntp servers
286
# Note: elabinelab myops/myfs use myboss for NTP
287
allow ip from any to ntp1,ntp2 123 keep-state			# 60024: BASIC,CLOSED
288
allow ip from myboss to ntp1,ntp2 123 keep-state		# 60024: ELABINELAB
289 290

# syslog with ops
291
allow udp from any 514 to ops 514		# 60026: BASIC,CLOSED
292

293 294
#
# NFS
295
# DANGER WILL ROBINSON!!!
296
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
297 298 299 300 301
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
302
allow ip from any to fs 111 keep-state		# 60030: BASIC,CLOSED
303 304 305
allow ip from any not 0-700 to fs keep-state	# 60031: BASIC,CLOSED
allow ip from any to fs 900 keep-state		# 60032: BASIC,CLOSED
allow ip from any to fs 2049 keep-state		# 60033: BASIC,CLOSED
306 307 308 309
allow ip from any to fs frag			# 60034: BASIC,CLOSED
allow ip from fs to any frag			# 60035: BASIC,CLOSED

# Special services
310 311

# cvsup to boss
312
allow tcp from any to boss 5999 setup keep-state # 60036: BASIC,CLOSED
313

314
# elvind or pubsubd to ops (unicast TCP and multicast UDP)
315
allow ip from any to ops 2917 keep-state	# 60038: BASIC,CLOSED
316
allow ip from any to ops 16505 keep-state	# 60039: BASIC,CLOSED
317 318

# slothd to boss
319
allow udp from any to boss 8509 		# 60040: BASIC,CLOSED
320

Mike Hibler's avatar
Mike Hibler committed
321 322 323
# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
324
allow tcp from myboss to boss 3069 recv vlan0 setup keep-state	# 60042: ELABINELAB
Mike Hibler's avatar
Mike Hibler committed
325

326
# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
327 328
allow tcp from any to myboss 80,443 in not recv vlan0 setup keep-state # 60043: ELABINELAB
allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state   # 60044: ELABINELAB
329

330 331
#
# Frisbee master server from boss
332
# elabinelab: boss to myboss
333 334
#
allow tcp from any to EMULAB_BOSSES 64494 in via vlan0 setup keep-state	# 60045: BASIC,CLOSED
335
allow tcp from myboss to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 60045: ELABINELAB
336

337
#
338 339 340 341 342
# Frisbee multicast with boss
#  * nodes mcast everything to boss (joins, leaves and requests): 60046
#  * boss mcasts blocks to same mcaddr/port: 60047
#  * boss unicasts join replies to same port: 60048
#  * node and switch need to IGMP: 60049
343 344 345
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss.  Re-imaging anything else from outside would be a disaster.
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0		   # 60046: BASIC,CLOSED
allow udp from EMULAB_BOSSES EMULAB_MCPORT to EMULAB_MCADDR EMULAB_MCPORT  # 60047: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT keep-state # 60048: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0	   # 60046: ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT keep-state # 60048: ELABINELAB
allow igmp from any to any						   # 60049: BASIC,CLOSED,ELABINELAB
364 365

# Ping, IPoD from boss
366 367 368 369
# should we allow all ICMP in general?
allow icmp from any to any			# 60050: BASIC
allow icmp from boss to any icmptypes 6,8	# 60050: CLOSED,ELABINELAB
allow icmp from any to boss icmptypes 0		# 60051: CLOSED,ELABINELAB
370

371
#
372
# Windows
373
# allow http, https (80,443) outbound for windows/cygwin updates
374 375
# SMB (445) with fs
# rdesktop (3389) to nodes
376
#
377 378 379
allow tcp from any to any 80,443 in via vlan0 setup keep-state # 60056: BASIC+WINDOWS
allow tcp from any to fs 445 in via vlan0 setup keep-state # 60057: BASIC+WINDOWS
allow tcp from any not 0-1023 to any 3389 in not recv vlan0 setup keep-state # 60059: BASIC+WINDOWS
380 381 382 383 384

#
# Windows
# Explicitly stop blaster (135,4444) and slammer (1434)
#
385 386
deny tcp from any to any 135,4444			# 60060: BASIC,CLOSED,ELABINELAB+WINDOWS
deny udp from any to any 1434				# 60061: BASIC,CLOSED,ELABINELAB+WINDOWS
387

388
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
389

390 391 392 393
# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
allow udp from any 68 to 255.255.255.255 67 recv vlan0	# 60064: BASIC,CLOSED,ELABINELAB
allow udp from any 67 to any 68 in not recv vlan0	# 60065: BASIC,CLOSED,ELABINELAB
394

395
#
396 397
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
398 399 400 401 402
# so we have to open wide.
#
# Note that for elabinelab, inside nodes still need to be able to talk to
# real boss for PXE boot.
#
403 404
allow udp from any to EMULAB_BOSSES,ops 69 keep-state			 # 60066: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES,ops not 0-1023 to any not 0-1023 keep-state # 60067: BASIC,CLOSED,ELABINELAB
405

406 407 408 409
#
# Emulab bootinfo with boss (nodes request/receive info or boss does PXEWAKEUP)
# XXX do we really need this for elabinelab inner nodes?
#
410 411
allow udp from any 9696 to boss 6969 keep-state		# 60068: BASIC,CLOSED,ELABINELAB
allow udp from boss 6970 to any 9696			# 60069: BASIC,CLOSED,ELABINELAB
412

413 414
# TMCC (udp or tcp) with boss
allow ip from any to boss 7777 keep-state		# 60070: BASIC,CLOSED
415 416 417 418

# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any			# 65534: BASIC,CLOSED,ELABINELAB
419 420 421

# Let through anything
allow all from any to any			# 65534: OPEN