Commit d13fd829 authored by Mike Hibler's avatar Mike Hibler

More firewall rule updates.

More tweaks for frisbee. Allow TCP-based NFS.
parent cd8570b4
...@@ -143,16 +143,16 @@ allow udp from me 514 to ops 514 # 26: BASIC,CLOSED,ELABINELAB ...@@ -143,16 +143,16 @@ allow udp from me 514 to ops 514 # 26: BASIC,CLOSED,ELABINELAB
# #
# NFS # NFS
# DANGER WILL ROBINSON!!! # DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS with fs # Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
# #
# Note that we have to allow IP fragments through due to the default # Note that we have to allow IP fragments through due to the default
# 8k read/write size. Perhaps we should dial down the read/write size for # 8k read/write size. Perhaps we should dial down the read/write size for
# firewalled experiments. # firewalled experiments.
# #
allow ip from me to fs 111 keep-state # 30: BASIC,CLOSED,ELABINELAB allow ip from me to fs 111 keep-state # 30: BASIC,CLOSED,ELABINELAB
allow udp from me not 0-700 to fs keep-state # 31: BASIC,CLOSED,ELABINELAB allow ip from me not 0-700 to fs keep-state # 31: BASIC,CLOSED,ELABINELAB
allow udp from me to fs 900 keep-state # 32: BASIC,CLOSED,ELABINELAB allow ip from me to fs 900 keep-state # 32: BASIC,CLOSED,ELABINELAB
allow udp from me to fs 2049 keep-state # 33: BASIC,CLOSED,ELABINELAB allow ip from me to fs 2049 keep-state # 33: BASIC,CLOSED,ELABINELAB
allow ip from me to fs frag # 34: BASIC,CLOSED,ELABINELAB allow ip from me to fs frag # 34: BASIC,CLOSED,ELABINELAB
allow ip from fs to me frag # 35: BASIC,CLOSED,ELABINELAB allow ip from fs to me frag # 35: BASIC,CLOSED,ELABINELAB
...@@ -205,7 +205,7 @@ deny not mac-type ip # 80: BASIC,CLOSED,ELABINELAB ...@@ -205,7 +205,7 @@ deny not mac-type ip # 80: BASIC,CLOSED,ELABINELAB
# No one on the inside can talk to other experiments' nodes and visa-versa. # No one on the inside can talk to other experiments' nodes and visa-versa.
# #
# XXX currently we only do this for the heavier weight firewalls because # XXX currently we only do this for the heavier weight firewalls because
# the user cannot over ride this. # the user cannot override this.
# #
# Note that this does not apply to nodes within this experiment because # Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall. # those packets never come to the firewall.
...@@ -264,16 +264,16 @@ allow udp from any 514 to ops 514 # 60026: BASIC,CLOSED ...@@ -264,16 +264,16 @@ allow udp from any 514 to ops 514 # 60026: BASIC,CLOSED
# #
# NFS # NFS
# DANGER WILL ROBINSON!!! # DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS with fs # Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
# #
# Note that we have to allow IP fragments through due to the default # Note that we have to allow IP fragments through due to the default
# 8k read/write size. Perhaps we should dial down the read/write size for # 8k read/write size. Perhaps we should dial down the read/write size for
# firewalled experiments. # firewalled experiments.
# #
allow ip from any to fs 111 keep-state # 60030: BASIC,CLOSED allow ip from any to fs 111 keep-state # 60030: BASIC,CLOSED
allow udp from any not 0-700 to fs keep-state # 60031: BASIC,CLOSED allow ip from any not 0-700 to fs keep-state # 60031: BASIC,CLOSED
allow udp from any to fs 900 keep-state # 60032: BASIC,CLOSED allow ip from any to fs 900 keep-state # 60032: BASIC,CLOSED
allow udp from any to fs 2049 keep-state # 60033: BASIC,CLOSED allow ip from any to fs 2049 keep-state # 60033: BASIC,CLOSED
allow ip from any to fs frag # 60034: BASIC,CLOSED allow ip from any to fs frag # 60034: BASIC,CLOSED
allow ip from fs to any frag # 60035: BASIC,CLOSED allow ip from fs to any frag # 60035: BASIC,CLOSED
...@@ -304,19 +304,32 @@ allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state # 60044: ...@@ -304,19 +304,32 @@ allow tcp from any to myboss 3069 in not recv vlan0 setup keep-state # 60044:
allow tcp from any to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 60045: BASIC,CLOSED allow tcp from any to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 60045: BASIC,CLOSED
# #
# Frisbee multicast from boss # Frisbee multicast with boss
# * nodes mcast everything (joins, leaves and requests) # * nodes mcast everything to boss (joins, leaves and requests): 60046
# * boss mcasts blocks, unicasts join replies, both from/to same port # * boss mcasts blocks to same mcaddr/port: 60047
# * node and switch need to IGMP # * boss unicasts join replies to same port: 60048
# * node and switch need to IGMP: 60049
# #
# Elabinelab should only do this to download an image from real boss to # Elabinelab should only do this to download an image from real boss to
# the inner boss. Re-imaging anything else from outside would be a disaster. # the inner boss. Re-imaging anything else from outside would be a disaster.
# # But note that the image is still mcast, so we cannot really differentiate
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: BASIC,CLOSED # in 60047.
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT # 60047: BASIC,CLOSED #
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB # NOTE: the unicast join replies (60048) make our life miserable. We cannot
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT # 60047: ELABINELAB # use a keep-state rule because the request was multicast and not directed to
allow igmp from any to any # 60048: BASIC,CLOSED,ELABINELAB # boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: BASIC,CLOSED
allow udp from EMULAB_BOSSES EMULAB_MCPORT to EMULAB_MCADDR EMULAB_MCPORT # 60047: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT keep-state # 60048: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT keep-state # 60048: ELABINELAB
allow igmp from any to any # 60049: BASIC,CLOSED,ELABINELAB
# Ping, IPoD from boss # Ping, IPoD from boss
# should we allow all ICMP in general? # should we allow all ICMP in general?
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment