Commit cd8570b4 authored by Mike Hibler's avatar Mike Hibler

Update firewall setup for things that have happened lately.

Support for frisbee master server and subbosses.
The latter is untested.
parent f1c4b330
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005, 2006, 2009 University of Utah and the Flux Group.
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -27,6 +27,9 @@
# EMULAB_CNET Node control network in CIDR notation
# EMULAB_MCADDR Multicast address range used by frisbee
# EMULAB_MCPORT Port range used by frisbee
# EMULAB_BOSSES Comma separated list of subbosses (including "boss"),
# used for services that subbosses provide
# (dhcp/tftp/frisbee).
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
......@@ -37,7 +40,7 @@
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# There are a few idiom that can be used in rules. These are dependent
# There are a few idioms that can be used in rules. These are dependent
# on the exact configuration of the bridge and firewall, so be careful
# (see NOTES for details on the implementation and implications):
#
......@@ -295,6 +298,11 @@ allow tcp from myboss to boss 3069 recv vlan0 setup keep-state # 60042: ELABINEL
allow tcp from any to myboss 80,443 in not recv vlan0 setup keep-state # 60043: ELABINELAB
allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state # 60044: ELABINELAB
#
# Frisbee master server from boss
#
allow tcp from any to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 60045: BASIC,CLOSED
#
# Frisbee multicast from boss
# * nodes mcast everything (joins, leaves and requests)
......@@ -304,11 +312,11 @@ allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state # 60044:
# Elabinelab should only do this to download an image from real boss to
# the inner boss. Re-imaging anything else from outside would be a disaster.
#
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: BASIC,CLOSED
allow udp from boss EMULAB_MCPORT to any EMULAB_MCPORT # 60047: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB
allow udp from boss EMULAB_MCPORT to myboss EMULAB_MCPORT # 60047: ELABINELAB
allow igmp from any to any # 60048: BASIC,CLOSED,ELABINELAB
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: BASIC,CLOSED
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT # 60047: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT # 60047: ELABINELAB
allow igmp from any to any # 60048: BASIC,CLOSED,ELABINELAB
# Ping, IPoD from boss
# should we allow all ICMP in general?
......@@ -343,8 +351,8 @@ allow udp from any 67 to any 68 in not recv vlan0 # 60065: BASIC,CLOSED,ELABINEL
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
# so we have to open wide
allow udp from any to boss,ops 69 keep-state # 60066: BASIC,CLOSED,ELABINELAB
allow udp from boss,ops not 0-1023 to any not 0-1023 keep-state # 60067: BASIC,CLOSED,ELABINELAB
allow udp from any to EMULAB_BOSSES,ops 69 keep-state # 60066: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES,ops not 0-1023 to any not 0-1023 keep-state # 60067: BASIC,CLOSED,ELABINELAB
# bootinfo with boss (nodes request/receive info or boss does PXEWAKEUP)
allow udp from any 9696 to boss 6969 keep-state # 60068: BASIC,CLOSED,ELABINELAB
......
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005, 2006 University of Utah and the Flux Group.
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# All rights reserved.
#
use Getopt::Std;
......@@ -31,20 +31,21 @@ my %fwvars;
sub getfwvars()
{
# XXX
# XXX for Utah Emulab as of 11/11
$fwvars{EMULAB_GWIP} = "155.98.36.1";
$fwvars{EMULAB_GWMAC} = "00:b0:8e:84:69:34";
$fwvars{EMULAB_GWMAC} = "00:d0:bc:f4:14:f8";
$fwvars{EMULAB_NS} = "155.98.32.70";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
$fwvars{EMULAB_MCADDR} = "234.5.0.0/16";
$fwvars{EMULAB_MCPORT} = "3564-65535";
$fwvars{EMULAB_BOSSES} = "boss,subboss";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "1025-65535";
}
sub expandfwvars($)
{
my ($rule) = @_;
getfwvars() if (!defined(%fwvars));
getfwvars() if (!%fwvars);
if ($rule =~ /EMULAB_\w+/) {
foreach my $key (keys %fwvars) {
......@@ -76,7 +77,7 @@ sub doconfig($)
$style = "emulab" if ($style eq "elabinelab");
$enabled = 1;
print "DELETE FROM default_firewall_rules WHERE ".
print "DELETE FROM `default_firewall_rules` WHERE ".
"type='$type' AND style='$style';\n";
}
......@@ -95,7 +96,7 @@ sub doconfig($)
print "ipfw add $ruleno $rule\n";
}
if ($domysql) {
print "INSERT INTO default_firewall_rules VALUES (".
print "INSERT INTO `default_firewall_rules` VALUES (".
"'$type','$style',$enabled,$ruleno,'$rule');\n";
}
}
......
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005, 2008 University of Utah and the Flux Group.
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -56,6 +56,13 @@ for (my $i = 0; $i < scalar(@NETMASKS); $i++) {
my $str;
# By default there is only "boss"
$str = "replace into default_firewall_vars values ('EMULAB_BOSSES', 'boss')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
# Use boss IP as "ns" since that is what we assume everywhere else
$str = "replace into default_firewall_vars values ('EMULAB_NS', '$BOSSNODE_IP')";
print "$str\n"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment