1. 21 Nov, 2011 1 commit
  2. 15 Nov, 2011 1 commit
    • Mike Hibler's avatar
      Further overhaul of firewall code. NOTE: required bump of tmcd version to 34. · 6a26b246
      Mike Hibler authored
      Firewalls now work with nodes which require a subboss. Had to introduce new
      firewall rules which skipped around the checks that no packets to/from
      node control net IPs should pass through the firewall, if the IP in question
      belongs to a subboss (since subboss is on the node control network). It
      actually checks for all Emulab servers (boss, ops, fs or any subboss),
      so the code should work for an Emulab install which has a non-segmented
      control network in which all servers were in the same subnet as the nodes.
      
      In addition to the new rules, we also had to pass in additional information
      via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on
      the node control network. We use this to establish ARP entries on the
      inside network so that nodes can find the servers. Since the existing
      client-side firewall code in libsetup.pm would blow up if it got a line
      that it didn't recognize, I had to bump the tmcd version number and add
      some conditional code to tmcd.c:dofwinfo() to not return the extra info for
      old versions.
      
      Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS
      that are used in the new rules. Fixed the support scripts in firewall/
      to properly initialize these variables.
      
      IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces
      table to find their IPs and MAC addresses. By default, we do not create
      such interface table entries for boss/ops/fs. We have them at Utah for
      other reasons. These entries are only needed if you have a non-segmented
      control network (or a subboss) and you want to firewall such nodes.
      The script to initialize the firewall variables (initfwvars.pl) will
      print out a warning for configurations that are affected and don't have
      the entries.
      6a26b246
  3. 03 Nov, 2011 1 commit
  4. 02 Nov, 2011 1 commit
  5. 07 Jul, 2009 1 commit
  6. 01 Dec, 2006 1 commit
  7. 07 Feb, 2006 1 commit
  8. 19 Sep, 2005 1 commit
  9. 16 Aug, 2005 1 commit
  10. 08 Mar, 2005 1 commit
  11. 01 Feb, 2005 1 commit
    • Mike Hibler's avatar
      Jigger the rules some: · 4cd84b84
      Mike Hibler authored
      ELABINELAB: allow SSLXMLRPC from inside to boss.  Needed for frisbee load
      	of images.
      ALL: allow through all ICMP for now.
      4cd84b84
  12. 28 Jan, 2005 1 commit
  13. 11 Jan, 2005 1 commit
    • Mike Hibler's avatar
      New firewall directory. Has the master file that describes the default · 16fd118f
      Mike Hibler authored
      rules (fw-rules), a script to populate the DB from those rules, and a
      script to initialize the firewall variables.
      
      This is not part of any standard make, it is used in a one-time fashion
      either at install or during the next update.  Still need to write the
      instructions for this.
      16fd118f