1. 04 Feb, 2017 1 commit
  2. 11 Aug, 2016 1 commit
    • Mike Hibler's avatar
      Linux firewall fixes inspired by Richard. · d54da568
      Mike Hibler authored
       * If firewall setup fails, don't fail completely open! Instead all full
         access to/from the firewall, but block all access to/from inside nodes.
       * Sort the rules by rule number so that user added rules get put in the
         correct place.
       * Fix the rules template for iptables so that user rules get inserted
         into an appropriate location.
       * Fix a bug in the anti-spoofing rules that would prevent any access from
         outside to the inside nodes.
      d54da568
  3. 10 Jun, 2016 2 commits
  4. 08 Jun, 2016 1 commit
  5. 11 Mar, 2016 1 commit
  6. 03 Sep, 2014 1 commit
  7. 02 Jun, 2014 1 commit
  8. 17 Apr, 2014 1 commit
  9. 03 Apr, 2014 1 commit
  10. 31 Mar, 2014 2 commits
  11. 26 Mar, 2014 2 commits
  12. 19 Mar, 2014 1 commit
    • Mike Hibler's avatar
      get FreeBSD firewall working with vnodes. · 650adc28
      Mike Hibler authored
      Firewall needed to be taught about the vnode control net (172.16.0.0).
      Basic stuff works now. Haven't tested everything.
      
      Unrelated to this commit, the Linux firewall seems to be broken.
      No traffic flows between the inside and outside even in an "open"
      configuration. Needs investigation.
      650adc28
  13. 26 Feb, 2014 1 commit
  14. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  15. 03 Feb, 2012 1 commit
  16. 26 Jan, 2012 1 commit
  17. 20 Jan, 2012 4 commits
  18. 19 Jan, 2012 1 commit
  19. 12 Jan, 2012 1 commit
    • Ryan Jackson's avatar
      Initial client code and rules for Linux firewalls · 2690be45
      Ryan Jackson authored
      Made the following changes to the clientside code to support Linux
      firewalls:
      
      - Made os_fwconfig_line() actually do something.
      - getfwconfig() adds an 'IPS' hash to the fwinfo hash.  This contains
        the IP address for each host, much like how the 'MACS' hash contains
        the MAC address for each host.  This is needed because ebtables (which
        is needed for ARP proxying) doesn't resolve hostnames.
      
      Rules are stored in firewall/iptables-fw-rules.  Syntax is similar to
      fw-rules, but without the rule number (since iptables doesn't use rule
      numbers).  These should be equivalent to our ipfw-based rules, but I
      haven't tested every case yet to confirm this.  I'm sure some changes
      will be necessary.
      2690be45
  20. 21 Nov, 2011 1 commit
  21. 15 Nov, 2011 1 commit
    • Mike Hibler's avatar
      Further overhaul of firewall code. NOTE: required bump of tmcd version to 34. · 6a26b246
      Mike Hibler authored
      Firewalls now work with nodes which require a subboss. Had to introduce new
      firewall rules which skipped around the checks that no packets to/from
      node control net IPs should pass through the firewall, if the IP in question
      belongs to a subboss (since subboss is on the node control network). It
      actually checks for all Emulab servers (boss, ops, fs or any subboss),
      so the code should work for an Emulab install which has a non-segmented
      control network in which all servers were in the same subnet as the nodes.
      
      In addition to the new rules, we also had to pass in additional information
      via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on
      the node control network. We use this to establish ARP entries on the
      inside network so that nodes can find the servers. Since the existing
      client-side firewall code in libsetup.pm would blow up if it got a line
      that it didn't recognize, I had to bump the tmcd version number and add
      some conditional code to tmcd.c:dofwinfo() to not return the extra info for
      old versions.
      
      Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS
      that are used in the new rules. Fixed the support scripts in firewall/
      to properly initialize these variables.
      
      IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces
      table to find their IPs and MAC addresses. By default, we do not create
      such interface table entries for boss/ops/fs. We have them at Utah for
      other reasons. These entries are only needed if you have a non-segmented
      control network (or a subboss) and you want to firewall such nodes.
      The script to initialize the firewall variables (initfwvars.pl) will
      print out a warning for configurations that are affected and don't have
      the entries.
      6a26b246
  22. 03 Nov, 2011 1 commit
  23. 02 Nov, 2011 1 commit
  24. 07 Jul, 2009 1 commit
  25. 15 Apr, 2008 1 commit
  26. 20 Feb, 2008 1 commit
  27. 14 Dec, 2006 1 commit
  28. 01 Dec, 2006 1 commit
  29. 13 Feb, 2006 1 commit
  30. 07 Feb, 2006 2 commits
  31. 06 Feb, 2006 1 commit
  32. 03 Feb, 2006 1 commit
  33. 01 Feb, 2006 1 commit