Commit 650adc28 authored by Mike Hibler's avatar Mike Hibler

get FreeBSD firewall working with vnodes.

Firewall needed to be taught about the vnode control net (172.16.0.0).
Basic stuff works now. Haven't tested everything.

Unrelated to this commit, the Linux firewall seems to be broken.
No traffic flows between the inside and outside even in an "open"
configuration. Needs investigation.
parent 4a2ea61a
......@@ -2551,6 +2551,14 @@ sub getfwconfig($$;$)
$fwsrvmacs{$fwvars{"EMULAB_GWIP"}} =~ s/://g;
}
my $vgwip = "";
if (defined($fwvars{"EMULAB_VGWIP"})) {
# XXX assume vnode GW is just an alias for the real GW (same MAC)
$fwsrvmacs{$fwvars{"EMULAB_VGWIP"}} = $fwvars{"EMULAB_GWMAC"};
$fwsrvmacs{$fwvars{"EMULAB_VGWIP"}} =~ s/://g;
$vgwip = $fwvars{"EMULAB_VGWIP"};
}
# info for proxy ARP, to publish inside...
if (%fwsrvmacs) {
#
......@@ -2561,7 +2569,8 @@ sub getfwconfig($$;$)
} else {
my %lsrv = ();
foreach my $ip (keys %fwsrvmacs) {
if (insubnet($fwvars{"EMULAB_CNET"}, $ip)) {
if (insubnet($fwvars{"EMULAB_CNET"}, $ip) ||
$ip eq $vgwip) {
$lsrv{$ip} = $fwsrvmacs{$ip};
}
}
......@@ -2585,6 +2594,9 @@ sub getfwconfig($$;$)
$bad += expandfwvars($rule);
}
# return the variables too
$fwinfo->{"VARS"} = \%fwvars;
$$infoptr = $fwinfo;
@$rptr = @fwrules;
@$hptr = @fwhosts;
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -742,6 +742,7 @@ sub os_fwconfig_line($@)
}
my $vlandev = "vlan0";
my $vip;
my $vlanno = $fwinfo->{IN_VLAN};
my $pdev = `$BINDIR/findif $fwinfo->{IN_IF}`;
chomp($pdev);
......@@ -780,6 +781,34 @@ sub os_fwconfig_line($@)
$upline .=
" ifconfig $vlandev inet $myip netmask $mymask rtabid 2\n";
#
# XXX this blows II: for vnodes, we need to proxy arp the vnode
# network GW, so we have to give both devices a vnode addr
# alias as well! To give us a unique addr, we make sure that the
# vnode net is at least /16 and take the last two octets of the
# real address. This will work for Utah.
#
if (defined($fwinfo->{VARS}->{EMULAB_VGWIP}) &&
defined($fwinfo->{VARS}->{EMULAB_VCNET})) {
my $vgwip = $fwinfo->{VARS}->{EMULAB_VGWIP};
my $bits = 0;
if ($fwinfo->{VARS}->{EMULAB_VCNET} =~ /\/(\d+)$/) {
$bits = 32 - $1;
}
if ($bits >= 16) {
if ($vgwip =~ /^(\d+\.\d+)\.\d+\.\d+$/ && ($vip = $1) &&
$myip =~ /^\d+\.\d+\.(\d+\.\d+)$/) {
$vip .= ".$1";
my $vmask =
sprintf "0x%08x", (~0 << $bits) & 0xFFFFFFFF;
$upline .=
" ifconfig $pdev alias $vip netmask $vmask\n";
$upline .=
" ifconfig $vlandev alias $vip netmask $vmask rtabid 2\n";
}
}
}
# publish servers (including GW) on inside and for us on outside
if (defined($fwinfo->{SRVMACS})) {
my $href = $fwinfo->{SRVMACS};
......@@ -860,7 +889,17 @@ sub os_fwconfig_line($@)
$downline .= " arp -r 2 -d $node\n";
}
}
$downline .= " ifconfig $vlandev destroy";
if (defined($fwinfo->{SRVMACS})) {
my $href = $fwinfo->{SRVMACS};
while (my ($ip,$mac) = each %$href) {
$downline .= " arp -d $ip\n";
$downline .= " arp -r 2 -d $ip pub\n";
}
}
$downline .= " ifconfig $vlandev destroy\n";
if ($vip) {
$downline .= " ifconfig $pdev -alias $vip";
}
return ($upline, $downline);
}
......
......@@ -48,8 +48,10 @@
# Variables expanded by rc.firewall script that can be used here:
#
# EMULAB_GWIP IP address of gateway
# EMULAB_VGWIP IP address of gateway on virtual node network
# EMULAB_NS IP address of name server
# EMULAB_CNET Node control network in CIDR notation
# EMULAB_VCNET Virtual node control network in CIDR notation
# EMULAB_MCADDR Multicast address range used by frisbee
# EMULAB_MCPORT Port range used by frisbee
# EMULAB_BOSSES Comma separated list of subbosses (including "boss"),
......@@ -59,8 +61,8 @@
# (EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# safely use symbolic hostnames "boss", "ops", "fs", "users" and "ntp1"
# as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
......@@ -161,8 +163,8 @@ allow udp from me to EMULAB_NS 53 keep-state # 20: BASIC,CLOSED,ELABINELAB
allow tcp from boss to me 22 setup keep-state # 22: CLOSED,ELABINELAB
allow tcp from any to me 22 setup keep-state # 22: BASIC
# NTP to ntp servers
allow ip from me to ntp1,ntp2 123 keep-state # 24: BASIC,CLOSED,ELABINELAB
# NTP to ntp server
allow ip from me to ntp1 123 keep-state # 24: BASIC,CLOSED,ELABINELAB
# syslog with ops
allow udp from me 514 to ops 514 # 26: BASIC,CLOSED,ELABINELAB
......@@ -194,7 +196,7 @@ allow udp from me to boss 8509 # 40: BASIC,CLOSED,ELABINELAB
# we need to remain engaged in the multicast protocol
# XXX maybe not needed after all
#allow igmp from any to any # 48: BASIC,CLOSED,ELABINELAB
#allow pim from EMULAB_GWIP to any # 49: BASIC,CLOSED,ELABINELAB
#allow pim from EMULAB_GWIP,EMULAB_VGWIP to any # 49: BASIC,CLOSED,ELABINELAB
# Ping, IPoD from boss
allow icmp from boss to me icmptypes 6,8 # 50: BASIC,CLOSED,ELABINELAB
......@@ -244,7 +246,7 @@ deny not mac-type ip # 80: BASIC,CLOSED,ELABINELAB
# (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
allow ip from EMULAB_GWIP to any in not via vlan0 # 81: CLOSED,ELABINELAB
allow ip from EMULAB_GWIP,EMULAB_VGWIP to any in not via vlan0 # 81: CLOSED,ELABINELAB
#
# XXX yuk 2! In a non-segmented control network or in a configuration with
......@@ -259,8 +261,8 @@ skipto 90 ip from any to EMULAB_SERVERS in via vlan0 # 83: CLOSED,ELABINELAB+SA
#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other.
#
deny ip from any to EMULAB_CNET in via vlan0 # 84: CLOSED,ELABINELAB
deny ip from EMULAB_CNET to any in not via vlan0 # 85: CLOSED,ELABINELAB
deny ip from any to EMULAB_CNET,EMULAB_VCNET in via vlan0 # 84: CLOSED,ELABINELAB
deny ip from EMULAB_CNET,EMULAB_VCNET to any in not via vlan0 # 85: CLOSED,ELABINELAB
#
# Inside nodes cannot spoof other IP addresses.
......@@ -268,7 +270,7 @@ deny ip from EMULAB_CNET to any in not via vlan0 # 85: CLOSED,ELABINELAB
# Beyond this rule we no longer have to check to make sure that source
# hosts like "boss" and "ops" come in the correct interface.
#
deny ip from not 0.0.0.0,255.255.255.255,EMULAB_CNET to any in via vlan0 # 90: BASIC,CLOSED,ELABINELAB
deny ip from not 0.0.0.0,255.255.255.255,EMULAB_CNET,EMULAB_VCNET to any in via vlan0 # 90: BASIC,CLOSED,ELABINELAB
#
# By convention, user supplied rules are in the 100-60000 range
......@@ -298,8 +300,8 @@ allow tcp from any to any 22 in not via vlan0 setup keep-state # 60022: BASIC
# NTP to ntp servers
# Note: elabinelab myops/myfs use myboss for NTP
allow ip from any to ntp1,ntp2 123 keep-state # 60024: BASIC,CLOSED
allow ip from myboss to ntp1,ntp2 123 keep-state # 60024: ELABINELAB
allow ip from any to ntp1 123 keep-state # 60024: BASIC,CLOSED
allow ip from myboss to ntp1 123 keep-state # 60024: ELABINELAB
# syslog with ops
allow udp from any 514 to ops 514 # 60026: BASIC,CLOSED
......@@ -398,9 +400,9 @@ deny udp from any to any 1434 # 60061: BASIC,CLOSED,ELABINELAB+WINDOWS
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
# replies may be broadcast or unicast but should come from a boss or GW.
allow udp from any 68 to 255.255.255.255 67 recv vlan0 # 60064: BASIC,CLOSED,ELABINELAB
allow udp from any 67 to any 68 in not recv vlan0 # 60065: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES,EMULAB_GWIP,EMULAB_VGWIP 67 to any 68 in not recv vlan0 # 60065: BASIC,CLOSED,ELABINELAB
#
# TFTP with boss or ops
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -50,13 +50,16 @@ my %fwvars;
sub getfwvars()
{
# XXX for Utah Emulab as of 11/11
# XXX for Utah Emulab as of 04/14
$fwvars{EMULAB_GWIP} = "155.98.36.1";
$fwvars{EMULAB_VGWIP} = "172.16.0.1";
# XXX assume vnode GW MAC same as GW MAC
$fwvars{EMULAB_GWMAC} = "00:d0:bc:f4:14:f8";
$fwvars{EMULAB_NS} = "155.98.32.70";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
$fwvars{EMULAB_BOSSES} = "boss,subboss";
$fwvars{EMULAB_SERVERS} = "boss,subboss,ops";
$fwvars{EMULAB_VNET} = "172.16.0.0/12";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "1025-65535";
}
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -50,13 +50,16 @@ my %fwvars;
sub getfwvars()
{
# XXX for Utah Emulab as of 11/11
# XXX for Utah Emulab as of 04/14
$fwvars{EMULAB_GWIP} = "155.98.36.1";
$fwvars{EMULAB_VGWIP} = "172.16.0.1";
# XXX assume vnode GW MAC same as GW MAC
$fwvars{EMULAB_GWMAC} = "00:d0:bc:f4:14:f8";
$fwvars{EMULAB_NS} = "155.98.32.70";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
$fwvars{EMULAB_BOSSES} = "boss,subboss";
$fwvars{EMULAB_SERVERS} = "boss,subboss,ops";
$fwvars{EMULAB_VNET} = "172.16.0.0/12";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "1025-65535";
}
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -42,6 +42,8 @@ my $PRIVATE_NETWORK = "@PRIVATE_NETWORK@";
my $PRIVATE_NETMASK = "@PRIVATE_NETMASK@";
my $PUBLIC_NETWORK = "@PUBLIC_NETWORK@";
my $PUBLIC_NETMASK = "@PUBLIC_NETMASK@";
my $VIRTNODE_NETWORK = "@VIRTNODE_NETWORK@";
my $VIRTNODE_NETMASK = "@VIRTNODE_NETMASK@";
my $BOSSNODE_IP = "@BOSSNODE_IP@";
my $USERNODE_IP = "@USERNODE_IP@";
my $FSNODE_IP = "@FSNODE_IP@";
......@@ -67,18 +69,26 @@ my @NETMASKS =
0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF # 29 - 32
);
my $CIDRMASK = "24";
for (my $i = 0; $i < scalar(@NETMASKS); $i++) {
sub getcidrnet($)
{
my ($mask) = @_;
my $cidrnet = "24";
for (my $i = 0; $i < scalar(@NETMASKS); $i++) {
my $foo = pack("N", $NETMASKS[$i]);
if ($CONTROL_NETMASK eq inet_ntoa($foo)) {
$CIDRMASK = "$i";
if ($mask eq inet_ntoa($foo)) {
$cidrnet = "$i";
last;
}
}
return $cidrnet;
}
my $str;
my $res;
my $subbosses = 0;
#
# Create EMULAB_BOSSES variable.
......@@ -89,8 +99,8 @@ my @bosses = "boss";
# ...and any subbosses
$res = DBQueryFatal("select distinct subboss_id from subbosses");
while (my ($sb) = $res->fetchrow_array()) {
push(@bosses, $sb)
if ($sb);
push(@bosses, $sb);
$subbosses++;
}
my $bstr = join(',', @bosses);
......@@ -136,12 +146,34 @@ DBQueryFatal($str)
#
# Add the control net in CIDR notation
$str = "replace into default_firewall_vars values ('EMULAB_CNET', '$CONTROL_NETWORK/$CIDRMASK')";
my $cidrnet = getcidrnet($CONTROL_NETMASK);
$str = "replace into default_firewall_vars values ('EMULAB_CNET', '$CONTROL_NETWORK/$cidrnet')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
# And the virtnode control net in CIDR notation
$cidrnet = getcidrnet($VIRTNODE_NETMASK);
$str = "replace into default_firewall_vars values ('EMULAB_VCNET', '$VIRTNODE_NETWORK/$cidrnet')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
#
# Create EMULAB_VGWIP defined
# EMULAB_GWIP comes from the DB via tmcd.
#
if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) {
my $vgwip = "$1.1";
$str = "replace into default_firewall_vars values ('EMULAB_VGWIP', '$vgwip')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
}
#
# Create EMULAB_MCADDR and EMULAB_MCPORT variables
#
......@@ -165,6 +197,11 @@ if ($bstr ne "boss") {
}
$FRISBEE_MCASTPORT = $FRISBEE_MCASTPORT . "-65535";
# XXX hack for subbosses
if ($subbosses > 0 && $mcaddr[0] != 239) {
$FRISBEE_MCASTADDR .= ",239.0.0.0/8";
}
$str = "replace into default_firewall_vars values ('EMULAB_MCADDR', '$FRISBEE_MCASTADDR')";
print "$str\n"
if (!$doit);
......
......@@ -48,8 +48,10 @@
# Variables expanded by rc.firewall script that can be used here:
#
# EMULAB_GWIP IP address of gateway
# EMULAB_VGWIP IP address of gateway on virtual node network
# EMULAB_NS IP address of name server
# EMULAB_CNET Node control network in CIDR notation
# EMULAB_VCNET Virtual node control network in CIDR notation
# EMULAB_MCADDR Multicast address range used by frisbee
# EMULAB_MCPORT Port range used by frisbee
# EMULAB_BOSSES Comma separated list of subbosses (including "boss"),
......@@ -59,8 +61,8 @@
# (EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# safely use symbolic hostnames "boss", "ops", "fs", "users" and "ntp1"
# as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
......@@ -101,11 +103,11 @@ iptables -N OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
# Inside nodes cannot spoof other IP addresses
iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,EMULAB_VCNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB
# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
# Can talk to myself. Does this do anything?
# This appears to be used by elvind?
......@@ -154,8 +156,8 @@ iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other.
#
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A INSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
# DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
......@@ -171,7 +173,7 @@ iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -
iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
# NTP to ntp servers
# NTP to ntp server
# Note: elabinelab myops/myfs use myboss for NTP
iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
......@@ -179,12 +181,6 @@ iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate N
iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -p udp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
# syslog with ops
iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
......@@ -311,10 +307,9 @@ iptables -A INPUT -p udp --dport 1434 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
# replies may be broadcast or unicast but should come from a boss or GW.
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES -d EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES,EMULAB_GWIP,EMULAB_VGWIP --dport 68 -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# TFTP with boss or ops
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment