fw-rules 16.5 KB
Newer Older
Mike Hibler's avatar
Mike Hibler committed
1
#
2
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
Mike Hibler's avatar
Mike Hibler committed
22 23
#

24 25
#
# Firewall rule template.
26
#
27
# The bulk of the line is the body of an IPFW rule, a '#' denoted "comment"
28 29 30
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
31 32 33 34 35 36 37
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
38 39 40 41 42 43 44 45 46
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
47
#
48
# Variables expanded by rc.firewall script that can be used here:
49
#
50
#	EMULAB_GWIP	IP address of gateway
51
#	EMULAB_VGWIP	IP address of gateway on virtual node network
52 53
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
54
#	EMULAB_VCNET	Virtual node control network in CIDR notation
55 56
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
57 58 59
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
60 61
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
62 63
#
# Currently these are sufficient for rules we use.  Note that you can
64 65
# safely use symbolic hostnames "boss", "ops", "fs", "users" and "ntp1"
# as they are all guaranteed to resolve, either via the local
66 67 68 69 70 71
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
72
# There are a few idioms that can be used in rules.  These are dependent
73 74
# on the exact configuration of the bridge and firewall, so be careful
# (see NOTES for details on the implementation and implications):
75
#
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
# "layer2"
#	A packet passing through the bridge.
# "not layer2"
#	A packet from or to the firewall itself.
# "in via vlan0"
#	Coming from the inside network.
# "in not via vlan0"
#	Coming from the outside network.
# "out"
#	Outbound from the firewall.
# "layer2 ... in via vlan0"
#	Traveling from inside to outside through the bridge.
# "layer2 ... in not via vlan0"
#	Traveling from outside to inside through the bridge.
# "from me to any out via vlan0"
#	IP traffic from firewall to the inside network.
# "from me to any out not via vlan0"
#	IP traffic from firewall to the outside network.
# "from any to me in via vlan0"
#	IP traffic to the firewall from inside.
# "from any to me in not via vlan0"
#	IP traffic to the firewall from outside.
98
#
99 100 101 102 103 104 105
# Questions, comments and warnings (refer to the NOTES file for more):
#
# 1. The rules use stateful checking via dynamic rules.  In addition to
#    being subject to DoS attacks, they can wreak havoc if the firewall
#    reboots.  In the case of the latter, all your TCP connections will
#    be toast.  Despite this, dynamic rules allow us to be a little more
#    constraining on what we allow through.
106 107 108
#
# 2. How much should we protect the firewall itself?  We disallow complete
#    access from inside.  From outside, we treat the firewall pretty much
109
#    like a firewalled node, except that we always allow infrastructure
110 111 112 113 114 115
#    services (e.g. NFS).
#
# 3. Watch out for VLAN tagged packets.  We don't want to process them
#    when they come in off the phys interface, we want to process them
#    when they have been untagged.
#
116 117 118 119 120 121

##
## COMMON RULES (2-9)
## These rules apply to all packets
##

122
#
123
# Match existing dynamic rules very early
124
#
125
check-state					# 4: BASIC,CLOSED,ELABINELAB
126

127 128 129 130 131 132 133 134 135 136
#
# Anything that traverses the bridge will appear as layer2.
# Skip the firewall-specific rules for this common case.
#
skipto 80 all from any to any layer2 in		# 9: BASIC,CLOSED,ELABINELAB

##
## FIREWALL SPECIFIC RULES (10-79)
## These rules are for IP packets only.
##
137

138 139 140 141 142
#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
#
deny all from any to me in via vlan0		# 10: BASIC,CLOSED,ELABINELAB
Mike Hibler's avatar
Mike Hibler committed
143

144 145 146
# Can talk to myself.  Does this do anything?
# This appears to be used by elvind?
allow all from me to me				# 11: BASIC,CLOSED,ELABINELAB
147

148 149 150 151 152 153 154 155
#
# XXX early on in Emulab setup boss will ssh in and insert a rule at the
# beginning to allow all traffic.  Later we ssh in again to remove that rule.
# In order for the latter ssh command to complete, we have to make sure that
# an established connection to boss continues to work.
#
allow tcp from me 22 to boss established	# 15: ELABINELAB
allow tcp from boss to me 22 established	# 16: ELABINELAB
156

157
# Standard services
158

159 160
# DNS to NS
allow udp from me to EMULAB_NS 53 keep-state	# 20: BASIC,CLOSED,ELABINELAB
161

162 163 164
# ssh from boss (for reboot, etc.) and others if appropriate
allow tcp from boss to me 22 setup keep-state	# 22: CLOSED,ELABINELAB
allow tcp from any to me 22 setup keep-state	# 22: BASIC
165

166 167
# NTP to ntp server
allow ip from me to ntp1 123 keep-state		# 24: BASIC,CLOSED,ELABINELAB
168

169 170 171 172 173 174
# syslog with ops
allow udp from me 514 to ops 514		# 26: BASIC,CLOSED,ELABINELAB

#
# NFS
# DANGER WILL ROBINSON!!!
175
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
176 177 178 179 180 181
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
allow ip from me to fs 111 keep-state		# 30: BASIC,CLOSED,ELABINELAB
182 183 184
allow ip from me not 0-700 to fs keep-state	# 31: BASIC,CLOSED,ELABINELAB
allow ip from me to fs 900 keep-state		# 32: BASIC,CLOSED,ELABINELAB
allow ip from me to fs 2049 keep-state		# 33: BASIC,CLOSED,ELABINELAB
185 186 187 188 189
allow ip from me to fs frag			# 34: BASIC,CLOSED,ELABINELAB
allow ip from fs to me frag			# 35: BASIC,CLOSED,ELABINELAB

# Special services

190 191
# pubsubd to ops (unicast TCP and multicast UDP)
allow ip from me to ops 16505 keep-state	# 38: BASIC,CLOSED,ELABINELAB
192 193 194 195 196 197 198

# slothd to boss
allow udp from me to boss 8509 			# 40: BASIC,CLOSED,ELABINELAB

# we need to remain engaged in the multicast protocol
# XXX maybe not needed after all
#allow igmp from any to any			# 48: BASIC,CLOSED,ELABINELAB
199
#allow pim from EMULAB_GWIP,EMULAB_VGWIP to any	# 49: BASIC,CLOSED,ELABINELAB
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233

# Ping, IPoD from boss
allow icmp from boss to me icmptypes 6,8	# 50: BASIC,CLOSED,ELABINELAB
allow icmp from me to boss icmptypes 0		# 51: BASIC,CLOSED,ELABINELAB

#
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
#
# Technically, we don't have to allow these since they will
# happen before the firewall is up.  We allow TMCC for debugging.
#
allow ip from me to boss 7777 keep-state	# 70: BASIC,CLOSED,ELABINELAB

# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any			# 79: BASIC,CLOSED,ELABINELAB


##
## BRIDGE SPECIFIC RULES (80-99 cannot be changed by user, 100 and higher can).
## These rules are for packets passing through the bridge.
##

#
# Disallow non-IP traffic.
#
# In particular, this prevents ARP.
#
deny not mac-type ip				# 80: BASIC,CLOSED,ELABINELAB

#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
234
# the user cannot override this.
235 236 237 238 239 240 241 242 243 244 245 246 247 248
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk!  The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
#  * IGMP and PIM traffic
#  * DHCP replies from boss appear to have come from the gateway
#    (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
249
allow ip from EMULAB_GWIP,EMULAB_VGWIP to any in not via vlan0 # 81: CLOSED,ELABINELAB
250 251 252 253 254 255 256 257 258 259 260 261 262 263

#
# XXX yuk 2!  In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
skipto 90 ip from EMULAB_SERVERS to any in not via vlan0 # 82: CLOSED,ELABINELAB+SAMENET
skipto 90 ip from any to EMULAB_SERVERS in via vlan0	 # 83: CLOSED,ELABINELAB+SAMENET

#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other. 
#
264 265
deny ip from any to EMULAB_CNET,EMULAB_VCNET in via vlan0     # 84: CLOSED,ELABINELAB
deny ip from EMULAB_CNET,EMULAB_VCNET to any in not via vlan0 # 85: CLOSED,ELABINELAB
266 267 268 269 270 271 272

#
# Inside nodes cannot spoof other IP addresses.
#
# Beyond this rule we no longer have to check to make sure that source
# hosts like "boss" and "ops" come in the correct interface.
#
273
deny ip from not 0.0.0.0,255.255.255.255,EMULAB_CNET,EMULAB_VCNET to any in via vlan0 # 90: BASIC,CLOSED,ELABINELAB
274 275 276 277 278 279

#
# By convention, user supplied rules are in the 100-60000 range
# This allows them to override the remaining infrastructure rules.
#

280 281 282 283 284
#
# Standard services.
#
# Note that for many of these, the ELABINELAB configuration restricts
# the operations to be with only the inner boss/ops/fs (as appropriate)
285 286 287 288
# and NOT with the inner nodes. Note also that the firewall is open while
# the inner servers are being setup (rc.mkelab) so we don't need to allow
# as many services to them; only services that are needed while the elab
# is operational need be allowed.
289 290 291
#

# DNS to NS
292
# Note: elabinelab myops/myfs use myboss for NS
293
allow udp from any to EMULAB_NS 53 keep-state			# 60020: BASIC,CLOSED
294
allow udp from myboss to EMULAB_NS 53 keep-state		# 60020: ELABINELAB
295

296 297 298 299
# ssh from boss (for reboot, etc.) and others if appropriate
allow tcp from boss to any 22 setup keep-state			# 60022: CLOSED
allow tcp from boss to myboss,myops,myfs 22 setup keep-state	# 60022: ELABINELAB
allow tcp from any to any 22 in not via vlan0 setup keep-state	# 60022: BASIC
300 301

# NTP to ntp servers
302
# Note: elabinelab myops/myfs use myboss for NTP
303 304
allow ip from any to ntp1 123 keep-state		# 60024: BASIC,CLOSED
allow ip from myboss to ntp1 123 keep-state		# 60024: ELABINELAB
305 306

# syslog with ops
307
allow udp from any 514 to ops 514		# 60026: BASIC,CLOSED
308

309 310
#
# NFS
311
# DANGER WILL ROBINSON!!!
312
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
313 314 315 316 317
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
318
allow ip from any to fs 111 keep-state		# 60030: BASIC,CLOSED
319 320 321
allow ip from any not 0-700 to fs keep-state	# 60031: BASIC,CLOSED
allow ip from any to fs 900 keep-state		# 60032: BASIC,CLOSED
allow ip from any to fs 2049 keep-state		# 60033: BASIC,CLOSED
322 323 324 325
allow ip from any to fs frag			# 60034: BASIC,CLOSED
allow ip from fs to any frag			# 60035: BASIC,CLOSED

# Special services
326

327
# pubsubd to ops (unicast TCP and multicast UDP)
328
allow ip from any to ops 16505 keep-state	# 60039: BASIC,CLOSED
329 330

# slothd to boss
331
allow udp from any to boss 8509 		# 60040: BASIC,CLOSED
332

Mike Hibler's avatar
Mike Hibler committed
333 334 335
# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
336
allow tcp from myboss to boss 3069 recv vlan0 setup keep-state	# 60042: ELABINELAB
Mike Hibler's avatar
Mike Hibler committed
337

338
# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
339 340
allow tcp from any to myboss 80,443 in not recv vlan0 setup keep-state # 60043: ELABINELAB
allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state   # 60044: ELABINELAB
341

342 343
#
# Frisbee master server from boss
344
# elabinelab: boss to myboss
345 346
#
allow tcp from any to EMULAB_BOSSES 64494 in via vlan0 setup keep-state	# 60045: BASIC,CLOSED
347
allow tcp from myboss to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 60045: ELABINELAB
348

349
#
350 351 352 353 354
# Frisbee multicast with boss
#  * nodes mcast everything to boss (joins, leaves and requests): 60046
#  * boss mcasts blocks to same mcaddr/port: 60047
#  * boss unicasts join replies to same port: 60048
#  * node and switch need to IGMP: 60049
355 356 357
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss.  Re-imaging anything else from outside would be a disaster.
358 359 360 361 362 363 364 365 366 367 368 369 370
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0		   # 60046: BASIC,CLOSED
371
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0	   # 60046: ELABINELAB
372 373 374 375
allow udp from EMULAB_BOSSES EMULAB_MCPORT to EMULAB_MCADDR EMULAB_MCPORT  # 60047: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT keep-state # 60048: BASIC,CLOSED
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT keep-state # 60048: ELABINELAB
allow igmp from any to any						   # 60049: BASIC,CLOSED,ELABINELAB
376 377

# Ping, IPoD from boss
378 379 380 381
# should we allow all ICMP in general?
allow icmp from any to any			# 60050: BASIC
allow icmp from boss to any icmptypes 6,8	# 60050: CLOSED,ELABINELAB
allow icmp from any to boss icmptypes 0		# 60051: CLOSED,ELABINELAB
382

383
#
384
# Windows
385
# allow http, https (80,443) outbound for windows/cygwin updates
386 387
# SMB (445) with fs
# rdesktop (3389) to nodes
388
#
389 390 391
allow tcp from any to any 80,443 in via vlan0 setup keep-state # 60056: BASIC+WINDOWS
allow tcp from any to fs 445 in via vlan0 setup keep-state # 60057: BASIC+WINDOWS
allow tcp from any not 0-1023 to any 3389 in not recv vlan0 setup keep-state # 60059: BASIC+WINDOWS
392 393 394 395 396

#
# Windows
# Explicitly stop blaster (135,4444) and slammer (1434)
#
397 398
deny tcp from any to any 135,4444			# 60060: BASIC,CLOSED,ELABINELAB+WINDOWS
deny udp from any to any 1434				# 60061: BASIC,CLOSED,ELABINELAB+WINDOWS
399

400
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
401

402
# DHCP requests from, and replies to, inside requests are always broadcast,
403
# replies may be broadcast or unicast but should come from a boss or GW.
404
allow udp from any 68 to 255.255.255.255 67 recv vlan0	# 60064: BASIC,CLOSED,ELABINELAB
405
allow udp from EMULAB_BOSSES,EMULAB_GWIP,EMULAB_VGWIP 67 to any 68 in not recv vlan0	# 60065: BASIC,CLOSED,ELABINELAB
406

407
#
408 409
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
410 411 412 413 414
# so we have to open wide.
#
# Note that for elabinelab, inside nodes still need to be able to talk to
# real boss for PXE boot.
#
415 416
allow udp from any to EMULAB_BOSSES,ops 69 keep-state			 # 60066: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES,ops not 0-1023 to any not 0-1023 keep-state # 60067: BASIC,CLOSED,ELABINELAB
417

418 419 420 421
#
# Emulab bootinfo with boss (nodes request/receive info or boss does PXEWAKEUP)
# XXX do we really need this for elabinelab inner nodes?
#
422 423
allow udp from any 9696 to boss 6969 keep-state		# 60068: BASIC,CLOSED,ELABINELAB
allow udp from boss 6970 to any 9696			# 60069: BASIC,CLOSED,ELABINELAB
424

425 426
# TMCC (udp or tcp) with boss
allow ip from any to boss 7777 keep-state		# 60070: BASIC,CLOSED
427 428 429 430

# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any			# 65534: BASIC,CLOSED,ELABINELAB
431 432 433

# Let through anything
allow all from any to any			# 65534: OPEN