Commit 16fd118f authored by Mike Hibler's avatar Mike Hibler

New firewall directory. Has the master file that describes the default

rules (fw-rules), a script to populate the DB from those rules, and a
script to initialize the firewall variables.

This is not part of any standard make, it is used in a one-time fashion
either at install or during the next update.  Still need to write the
instructions for this.
parent caab98fa
......@@ -1807,7 +1807,7 @@ esac
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
named/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile \
ssl/GNUmakefile ssl/mksig ssl/usercert.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
......
......@@ -583,7 +583,7 @@ esac]
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
named/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile \
ssl/GNUmakefile ssl/mksig ssl/usercert.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
......
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ..
SUBDIR = firewall
TBDB = @TBDBNAME@
FW_SCRIPTS = initfwvars.pl
FW_FILES = open.sql closed.sql basic.sql emulab.sql
include $(OBJDIR)/Makeconf
#
# Force dependencies on the scripts so that they will be rerun through
# configure if the .in file is changed.
#
all: $(FW_SCRIPTS) $(FW_FILES)
include $(TESTBED_SRCDIR)/GNUmakerules
%.sql: genconfig.pl
$(SRCDIR)/genconfig.pl -f $(SRCDIR)/fw-rules -M $* > $@
insertvars: initfwvars.pl
@if ! `mysqldump $(TBDB) default_firewall_vars >/dev/null 2>&1`; then \
echo -n '*** default_firewall_vars table does not exist, '; \
echo 'see sql/database-migrate.txt'; \
exit 1; \
else \
chmod +x ./initfwvars.pl; \
./initfwvars.pl; \
fi
insertrules: $(FW_FILES)
@if ! `mysqldump $(TBDB) default_firewall_rules >/dev/null 2>&1`; then \
echo -n '*** default_firewall_rules table does not exist, '; \
echo 'see sql/database-migrate.txt'; \
exit 1; \
else \
cat $(FW_FILES) | mysql $(TBDB); \
fi
#
# Firewall rule template.
#
# Styles:
#
# OPEN allows everything
# CLOSED allows only Emulab infrastructure services
# BASIC CLOSED + ssh from anywhere
# ELABINELAB Elab-in-elab, eliminates many Emulab services
# WINDOWS Rules specific to WinXP, not a real style right now
#
# Variables expanded by rc.firewall script:
#
# EMULAB_NS IP address of name server
# EMULAB_CNET Node control network in CIDR notation
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve (assuming an earlier
# rule exists to allow DNS traffic to/from EMULAB_NS).
#
# Remaining questions:
#
# 1. Anti-spoofing? The real firewall will do spoofing checks, should
# we do them also? It won't protect the rest of the control net from
# us unless we put in specific, per-firewalled-host rules.
#
# 2. How much should we protect the firewall itself? We disallow complete
# access from inside. From outside, we treat the firewall pretty much
# like a firewalled node, excpet that we always allow infrastructure
# services (e.g. NFS).
#
# 3. Watch out for VLAN tagged packets. We don't want to process them
# when they come in off the phys interface, we want to process them
# when they have been untagged.
#
# Let through anything
allow all from any to any # 65534: OPEN
# match existing dynamic rules first
check-state # 1: BASIC,CLOSED,ELABINELAB
# Can talk to myself
allow all from me to me # 10: BASIC,CLOSED,ELABINELAB
# But no one on the inside can talk to me or other experiment nodes
deny all from any to me via vlan0 # 11: BASIC,CLOSED,ELABINELAB
deny all from any to EMULAB_CNET via vlan0 # 12: BASIC,CLOSED,ELABINELAB
# Let nodes find the gateway
allow mac-type arp # 13: BASIC,CLOSED,ELABINELAB
# other boilerplate
allow all from any to any frag # 14: BASIC,CLOSED,ELABINELAB
# Anti-spoofing?
# allow DNS to boss early so other rules can use symbolic host names
allow udp from any to EMULAB_NS 53 keep-state # 50: BASIC,CLOSED,ELABINELAB
#
# By convention, user supplied rules are in the 100-60000 range
# This allows them to override the remaining infrastructure rules.
#
# Standard services for both us and firewalled nodes
# ssh from boss (for reboot, etc.)
allow tcp from boss to any 22 setup keep-state # 60000: CLOSED
allow tcp from any to any 22 setup keep-state # 60000: BASIC,ELABINELAB
# NTP to ntp servers
allow ip from any to ntp1,ntp2 123 keep-state # 60010: BASIC,CLOSED,ELABINELAB
# syslog with ops
allow udp from any 514 to ops 514 # 60020: BASIC,CLOSED
# DANGER WILL ROBINSON!!!
# portmapper (tcp or udp), mountd and NFS with fs
allow ip from any to fs 111 keep-state # 60030: BASIC,CLOSED
allow udp from any not 0-700 to fs keep-state # 60031: BASIC,CLOSED
allow udp from any to fs 900 keep-state # 60032: BASIC,CLOSED
allow udp from any to fs 2049 keep-state # 60033: BASIC,CLOSED
allow ip from me to fs 111 keep-state # 60030: ELABINELAB
allow udp from me not 0-700 to fs keep-state # 60031: ELABINELAB
allow udp from me to fs 900 keep-state # 60032: ELABINELAB
allow udp from me to fs 2049 keep-state # 60033: ELABINELAB
# cvsup to boss
allow tcp from any to boss 5999 setup keep-state # 60040: BASIC,CLOSED
# elvind to ops (unicast TCP and multicast UDP)
allow ip from any to ops 2917 keep-state # 60050: BASIC,CLOSED
allow ip from me to ops 2917 keep-state # 60050: ELABINELAB
# slothd to boss
allow udp from any to boss 8509 # 60060: BASIC,CLOSED
allow udp from me to boss 8509 # 60060: ELABINELAB
# Special services
# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
allow tcp from any to any 80,443 in not recv vlan0 setup keep-state # 60070: ELABINELAB
allow tcp from any to any 3069 in not recv vlan0 setup keep-state # 60071: ELABINELAB
# frisbee multicast from boss
allow udp from any to EMULAB_MCADDR # 60080: BASIC,CLOSED,ELABINELAB
allow udp from boss EMULAB_MCPORT to any EMULAB_MCPORT # 60081: BASIC,CLOSED,ELABINELAB
allow igmp from any to any # 60082: BASIC,CLOSED,ELABINELAB
# Ping, IPoD from boss
# should we allow all ICMP?
allow icmp from boss to any icmptypes 6,8 # 60090: BASIC,CLOSED,ELABINELAB
allow icmp from any to boss icmptypes 0 # 60091: BASIC,CLOSED,ELABINELAB
# Windows
# SMB (445) with fs
# SSH (2222) into nodes
# rdesktop (3389) to nodes
# no blaster (135,4444) or slammer (1434) please!
allow tcp from any to fs 445 in via vlan0 setup keep-state # 60100: WINDOWS
allow tcp from any to any 2222 in not recv vlan0 setup keep-state # 60101: WINDOWS
allow tcp from any not 0-1023 to any 3389 in not recv vlan0 setup keep-state # 60102: WINDOWS
deny tcp from any to any 135,4444 # 60110: WINDOWS
deny udp from any to any 1434 # 60111: WINDOWS
# Boot time only services
# DHCP requests from, and replies to, inside
# requests are always broadcast, replies may be broadcast or unicast
allow udp from any 68 to 255.255.255.255 67 recv vlan0 # 61000: BASIC,CLOSED,ELABINELAB
allow udp from any 67 to any 68 in not recv vlan0 # 61001: BASIC,CLOSED,ELABINELAB
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
# so we have to open wide
allow udp from any to boss,ops 69 keep-state # 61010: BASIC,CLOSED,ELABINELAB
allow udp from boss,ops not 0-1023 to any not 0-1023 keep-state #61011: BASIC,CLOSED,ELABINELAB
# bootinfo and TMCC (udp or tcp) with boss
allow udp from any to boss 6969 keep-state # 61020: BASIC,CLOSED,ELABINELAB
allow ip from any to boss 7777 keep-state # 61021: BASIC,CLOSED,ELABINELAB
# nuke everything else
# this should be the default kernel setting, but just in case
deny all from any to any # 65534: BASIC,CLOSED,ELABINELAB
#!/usr/local/bin/perl -w
#
# Generate a file of IPFW rules suitable either for feeding to IPFW or
# for insertion in the DB.
#
use Getopt::Std;
use English;
my $datafile = "fw-rules";
my $optlist = "eMIf:";
my $domysql = 0;
my $doipfw = 1;
my $expand = 0;
my @lines;
sub usage()
{
print "Usage: genconfig [-MI] config ...\n".
" -e expand EMULAB_ variables\n".
" -f file specify the input rules file\n".
" -M generate mysql commands\n".
" -I generate IPFW commands\n";
exit(1);
}
my %fwvars;
sub getfwvars()
{
# XXX
$fwvars{EMULAB_BOSS} = "155.98.32.70";
$fwvars{EMULAB_OPS} = "155.98.33.74";
$fwvars{EMULAB_FS} = "155.98.33.74";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
}
sub expandfwvars($)
{
my ($rule) = @_;
getfwvars() if (!defined(%fwvars));
if ($rule =~ /EMULAB_\w+/) {
foreach my $key (keys %fwvars) {
$rule =~ s/$key/$fwvars{$key}/
if (defined($fwvars{$key}));
}
if ($rule =~ /EMULAB_\w+/) {
warn("*** WARNING: Unexpanded firewall variable in: \n".
" $rule\n");
}
}
return $rule;
}
sub doconfig($)
{
my ($config) = @_;
my $ruleno = 1;
my ($type, $style, $enabled);
if ($doipfw) {
print "# $config\n";
print "ipfw -q flush\n";
}
if ($domysql) {
$type = "ipfw2-vlan";
$style = lc($config);
# XXX
$style = "emulab" if ($style eq "elabinelab");
$enabled = 1;
print "DELETE FROM default_firewall_rules WHERE ".
"type='$type' AND style='$style';\n";
}
foreach my $line (@lines) {
next if ($line !~ /$config/);
next if ($line =~ /^#/);
if ($line =~ /#\s*(\d+):.*/) {
$ruleno = $1;
} else {
$ruleno++;
}
($rule = $line) =~ s/\s*#.*//;
chomp($rule);
$rule = expandfwvars($rule) if ($expand);
if ($doipfw) {
print "ipfw add $ruleno $rule\n";
}
if ($domysql) {
print "INSERT INTO default_firewall_rules VALUES (".
"'$type','$style',$enabled,$ruleno,'$rule');\n";
}
}
print "\n";
}
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"M"})) {
$domysql = 1;
$doipfw = 0;
}
if (defined($options{"I"})) {
$doipfw = 1;
$domysql = 0;
}
if (defined($options{"e"})) {
$expand = 1;
}
if (defined($options{"f"})) {
$datafile = $options{"f"};
}
if (@ARGV == 0) {
usage();
}
@lines = `cat $datafile`;
foreach my $config (@ARGV) {
$config = uc($config);
doconfig($config);
}
exit(0);
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005 University of Utah and the Flux Group.
# All rights reserved.
#
#CREATE TABLE firewall_vars (
# name varchar(255) NOT NULL default '',
# value text,
# PRIMARY KEY (name)
#) TYPE=MyISAM;
my $doit = 1;
use English;
use Socket;
use lib "@prefix@/lib";
use libdb;
my $CONTROL_NETWORK = "@CONTROL_NETWORK@";
my $CONTROL_NETMASK = "@CONTROL_NETMASK@";
my $BOSSNODE_IP = "@BOSSNODE_IP@";
my $FRISBEE_MCASTADDR = "@FRISEBEEMCASTADDR@";
my $FRISBEE_MCASTPORT = "@FRISEBEEMCASTPORT@";
#
# Untaint the path
#
$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# Simple is good. I stole this out of a google search.
my @NETMASKS =
(0x10000000, # 0
0x80000000, 0xC0000000, 0xE0000000, 0xF0000000, # 1 - 4
0xF8000000, 0xFC000000, 0xFE000000, 0xFF000000, # 5 - 8
0xFF800000, 0xFFC00000, 0xFFE00000, 0xFFF00000, # 9 - 12
0xFFF80000, 0xFFFC0000, 0xFFFE0000, 0xFFFF0000, # 13 - 16
0xFFFF8000, 0xFFFFC000, 0xFFFFE000, 0xFFFFF000, # 17 - 20
0xFFFFF800, 0xFFFFFC00, 0xFFFFFE00, 0xFFFFFF00, # 21 - 24
0xFFFFFF80, 0xFFFFFFC0, 0xFFFFFFE0, 0xFFFFFFF0, # 25 - 28
0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF # 29 - 32
);
my $CIDRMASK = "24";
for (my $i = 0; $i < scalar(@NETMASKS); $i++) {
my $foo = pack("N", $NETMASKS[$i]);
if ($CONTROL_NETMASK eq inet_ntoa($foo)) {
$CIDRMASK = "$i";
last;
}
}
my $str;
# Use boss IP as "ns" since that is what we assume everywhere else
$str = "replace into default_firewall_vars values ('EMULAB_NS', '$BOSSNODE_IP')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
# Add the control net in CIDR notation
$str = "replace into default_firewall_vars values ('EMULAB_CNET', '$CONTROL_NETWORK/$CIDRMASK')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
# Frisbee multicast info (XXX assumptions, assumptions!)
$FRISBEE_MCASTADDR = $FRISBEE_MCASTADDR . ".0/24";
$FRISBEE_MCASTPORT = $FRISBEE_MCASTPORT . "-" . ($FRISBEE_MCASTPORT + 255);
$str = "replace into default_firewall_vars values ('EMULAB_MCADDR', '$FRISBEE_MCASTADDR')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
$str = "replace into default_firewall_vars values ('EMULAB_MCPORT', '$FRISBEE_MCASTPORT')";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
exit(0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment