Commit 57cfc31e authored by Leigh Stoller's avatar Leigh Stoller

Checkpoint new firewall rule support. These are templates for

boss/ops firewalls (ipfw) which we can run on sites that are not
protected by an external firewall. Work in progress.
parent ef409c9f
......@@ -7395,7 +7395,7 @@ fi
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile fwrules/GNUmakefile \
ssl/GNUmakefile ssl/mksig ssl/usercert.cnf ssl/mkserial \
capture/GNUmakefile \
db/GNUmakefile \
......
......@@ -1022,7 +1022,7 @@ AC_SUBST(MERGE_BUILD_SANDBOX)
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile \
named/GNUmakefile firewall/GNUmakefile fwrules/GNUmakefile \
ssl/GNUmakefile ssl/mksig ssl/usercert.cnf ssl/mkserial \
capture/GNUmakefile \
db/GNUmakefile \
......
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ..
SUBDIR = fwrules
ETCDIR = /etc
OURDOMAIN = @OURDOMAIN@
ISMAINSITE = @TBMAINSITE@
BOSSTOKEN = boss
USERTOKEN = ops
FWRULES_FILES = $(BOSSTOKEN).ipfw $(USERTOKEN).ipfw
ifeq ($(ISMAINSITE),1)
LOCAL_FWRULES = $(BOSSTOKEN).local.ipfw $(USERTOKEN).local.ipfw
else
LOCAL_FWRULES =
endif
include $(OBJDIR)/Makeconf
#
# Force dependencies on the scripts so that they will be rerun through
# configure if the .in file is changed.
#
all: mkfwrules $(LOCAL_FWRULES) $(FWRULES_FILES)
include $(TESTBED_SRCDIR)/GNUmakerules
%.ipfw: %.tmpl
perl mkfwrules $< > $@
$(LOCAL_FWRULES) $(FWRULES_FILES): mkfwrules
# This is not a safe install target after initial install!
install:
@echo "Are you sure you want to reinstall the fwrules files!"
@echo "Use the install-real target if you are sure"
install-real:
clean:
rm -f mkfwrules $(FWRULES_FILES) $(LOCAL_FWRULES)
$(ETCDIR)/%: %
@echo "Installing $<"
-mkdir -p $(ETCDIR)
$(INSTALL) $< $@
#
# Utah specific rules for boss.
#
# For backups
add pass tcp from nstash to me 13782 setup
# Match existing dynamic rules early
add check-state
# Allow established connections.
add pass tcp from any to any established
# Allow anything out. This subsumes some of the rules below.
add pass tcp from me to any setup
add pass udp from me to any keep-state
# Allow ssh traffic from anywhere
add pass tcp from any to any 22 setup
# Allow web traffic (http and https)
add pass tcp from any to me 80 setup
add pass tcp from any to me 443 setup
# Allow NTP traffic
add pass udp from any to any ntp keep-state
# Allow DNS queries.
add pass tcp from any to me 53 setup
add pass udp from any to any 53 keep-state
# Old elvind. Can we get rid of this now?
add pass udp from %alltestbed% to me 2917 keep-state
add pass udp from %jailnetwork% to me 2917 keep-state
# Allow tmcd in, The 8/9 ports are for testing.
add pass udp from any to me 7777 keep-state
add pass tcp from any to me 7777 setup
add pass tcp from any to me 7778 setup
add pass tcp from any to me 7779 setup
add pass tcp from any to me 14447 setup
# Pubsub but only from the local node.
add pass tcp from me to me 16505 setup
# Allow tftp in, but only from emulab networks
# XXX - This is bad, because tftp can open up any UDP port it wants,
# so we have to let trough a whole lot more ports than I'd like.
add pass udp from %alltestbed% to me 69 keep-state
add pass udp from %jailnetwork% to me 69 keep-state
add pass udp from %alltestbed% 1024-65535 to me 1024-65535 keep-state
add pass udp from %jailnetwork% 1024-65535 to me 1024-65535 keep-state
# For capserver from the control network.
add pass tcp from %publicnetwork% to me 855 setup
add pass tcp from %publicnetwork% 1024-65535 to me 1024-65535 setup
add pass tcp from me 1024-65535 to %publicnetwork% setup
# Allow dhcp/bootp in - we have to allow any source and dst address
add pass udp from any to any bootps keep-state
# Syslog. I thought all syslog went to ops?
add pass udp from %alltestbed% to me syslog keep-state
add pass udp from %jailnetwork% to me syslog keep-state
# Allow NFS mounts to ops
#
# These few for lockd.
add pass udp from me to ops 111 keep-state
add pass udp from me to ops 4045 keep-state
add pass udp from me to ops 2049-65535 keep-state
# Allow IP fragments through due to the default 8k read/write size
add pass ip from ops to me frag
add pass ip from me to ops frag
# WARNING: This is in the router control set, and allows all udp ports.
# No idea why, there is no comment explaining.
#add pass udp from %alltestbed% to me keep-state
# Lockd again
add pass tcp from me to ops 111 setup
add pass tcp from me to ops 4045 setup
add pass tcp from me to ops 2049 setup
# Kirk has helpfully hardwired mountd to these ports on ops
add pass tcp from me to ops 900 setup
add pass udp from me to ops 900 keep-state
# Allow connections to our XMLRPC SSL server
add pass tcp from any to me 3069 setup
# Bootwhat (bootinfo)
add pass tcp from %alltestbed% to me 6969 setup
add pass tcp from %jailnetwork% to me 6969 setup
# Outgoing bootinfosend
add pass udp from me 6970 to any 9696 keep-state
# What are these?
#add pass tcp from %alltestbed% to me 6958 setup
#add pass tcp from %jailnetwork% to me 6958 setup
#add pass tcp from %alltestbed% to me 6999 setup
#add pass tcp from %jailnetwork% to me 6999 setup
# Allow ping. Well, all icmp. Problem? ipod/apod is an icmp packet (6,6).
add pass icmp from any to any
# Need this for X11 over ssh.
add pass tcp from me to me 6010 setup
# Multicast.
add pass igmp from %multicast% to any
add pass igmp from me to any
# What is this? I see it in my elabinelab from the router.
add pass pim from %multicast% to any
add pass udp from any to 224.0.0.0/4 1025-65535
add pass udp from me to 224.0.0.0/4
# Frisbee master server (Mike).
add pass tcp from %alltestbed% to me 64494 setup
add pass tcp from %jailnetwork% to me 64494 setup
# and allow a range for the mserver based uploader
add pass tcp from %controlnetwork% to me 21700-21799 setup
add pass tcp from %jailnetwork% to me 21700-21799 setup
# Slothd (Kirk)
add pass tcp from %alltestbed% to me 8509 setup
add pass tcp from %jailnetwork% to me 8509 setup
add pass udp from %alltestbed% to me 8509 keep-state
add pass udp from %jailnetwork% to me 8509 keep-state
# ssh (tcp?) port proxying (Gary)
add pass tcp from me 4127 to me 4127 setup
add pass tcp from ops to me 4128 setup
# Flash authentication service (Jon)
add pass tcp from any to me 843 setup
# ProtoGENI XMLRPC service (Leigh)
add pass tcp from any to me 12369 setup
%localrules% boss
# Deny everything else
add deny log ip from any to any
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
use Getopt::Std;
use Socket;
#
# Convert the ipfw rule template files into actual rule files. If you want
# to run these rules on your boss and/or ops, you will need to make
# sure you have the ipfw modules built or an ipfw enabled kernel already
# running. More info on this is in the "ipfirewall" man page. Then, you
# need to change /etc/rc.conf:
#
# firewall_enable="YES"
# firewall_flags="-f"
# firewall_type="/etc/myrules"
#
# where /etc/myrules is the appropriate rule file from the build
# directory.
#
sub usage {
print "Usage: $0 <templatefile>\n";
}
#
# Configure variables
#
my $OURDOMAIN = "@OURDOMAIN@";
my $ELABINELAB = @ELABINELAB@;
my ($BOSSTOKEN) = ("@BOSSNODE@" =~ /^([-\w]+).*$/);
my ($USERTOKEN) = ("@USERNODE@" =~ /^([-\w]+).*$/);
my ($FSTOKEN) = ("@FSNODE@" =~ /^([-\w]+).*$/);
my $TESTBED_NETWORK = "@TESTBED_NETWORK@";
my $TESTBED_NETMASK = "@TESTBED_NETMASK@";
my $EXTERNAL_TESTBED_NETWORK = "@EXTERNAL_TESTBED_NETWORK@";
my $EXTERNAL_TESTBED_NETMASK = "@EXTERNAL_TESTBED_NETMASK@";
my $BOSSNODE_IP = "@BOSSNODE_IP@";
my $USERNODE_IP = "@USERNODE_IP@";
my $FSNODE_IP = "@FSNODE_IP@";
my $NTPSERVER = "@NTPSERVER@";
my $EXTERNAL_BOSSNODE_IP = "@EXTERNAL_BOSSNODE_IP@";
my $EXTERNAL_USERNODE_IP = "@EXTERNAL_USERNODE_IP@";
my $EXTERNAL_FSNODE_IP = "@EXTERNAL_FSNODE_IP@";
my $CONTROL_ROUTER_IP = "@CONTROL_ROUTER_IP@";
my $CONTROL_NETWORK = "@CONTROL_NETWORK@";
my $CONTROL_NETMASK = "@CONTROL_NETMASK@";
my $PRIVATE_NETWORK = "@PRIVATE_NETWORK@";
my $PRIVATE_ROUTER = "@PRIVATE_ROUTER@";
my $PRIVATE_NETMASK = "@PRIVATE_NETMASK@";
my $PUBLIC_NETWORK = "@PUBLIC_NETWORK@";
my $PUBLIC_ROUTER = "@PUBLIC_ROUTER@";
my $PUBLIC_NETMASK = "@PUBLIC_NETMASK@";
my $NAMED_FORWARDERS = "@NAMED_FORWARDERS@";
# Simple is good. I stole this out of a google search.
my @NETMASKS =
(0x10000000, # 0
0x80000000, 0xC0000000, 0xE0000000, 0xF0000000, # 1 - 4
0xF8000000, 0xFC000000, 0xFE000000, 0xFF000000, # 5 - 8
0xFF800000, 0xFFC00000, 0xFFE00000, 0xFFF00000, # 9 - 12
0xFFF80000, 0xFFFC0000, 0xFFFE0000, 0xFFFF0000, # 13 - 16
0xFFFF8000, 0xFFFFC000, 0xFFFFE000, 0xFFFFF000, # 17 - 20
0xFFFFF800, 0xFFFFFC00, 0xFFFFFE00, 0xFFFFFF00, # 21 - 24
0xFFFFFF80, 0xFFFFFFC0, 0xFFFFFFE0, 0xFFFFFFF0, # 25 - 28
0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF # 29 - 32
);
my %SUB = (
"alltestbed" => "$TESTBED_NETWORK:$TESTBED_NETMASK",
"publicnetwork" => "$PUBLIC_NETWORK:$PUBLIC_NETMASK",
"controlnetwork" => "$CONTROL_NETWORK:$CONTROL_NETMASK",
"jailnetwork" => "172.16.0.0/12",
"multicast" => "$TESTBED_NETWORK:$TESTBED_NETMASK,172.16.0.0/12",
);
#
# Ug, for elabinelab, it is easier to just set the multicast rule
# to any to avoid problems.
#
if ($ELABINELAB) {
$SUB{"multicast"} = "any";
}
# Testbed libraries.
use lib "@prefix@/lib";
usage()
if (@ARGV != 1);
my $infile = $ARGV[0];
open(IF,"<$infile") or
die("Unable to open $infile for reading\n");
while (<IF>) {
if (/^(.*)\%([-\w]*)\%(.*)$/) {
if ($2 eq "localrules") {
my $filename = $3;
$filename =~ s/\s//g;
$filename .= ".local.ipfw";
if (-e $filename) {
system("cat $filename");
}
}
elsif (exists($SUB{$2})) {
print "$1" . $SUB{$2} . "$3\n";
}
else {
die("No substitution for '$2'\n");
}
next;
}
print $_;
}
close(IF);
exit(0);
#
# Utah specific rules for ops.
#
# For backups
add pass tcp from nstash to me 13782 setup
# Match existing dynamic rules early
add check-state
# Allow established connections.
add pass tcp from any to any established
# Allow anything out. This subsumes some of the rules below.
add pass tcp from me to any setup
add pass udp from me to any keep-state
# Allow ssh traffic from anywhere
add pass tcp from any to any 22 setup
# All ops to be a mail server
add pass tcp from any to any 25 setup
# Allow NTP traffic in and out
add pass udp from any to any ntp keep-state
# Allow DNS queries out.
add pass udp from me to any 53 keep-state
# Need this for X11 over ssh.
add pass tcp from me to me 6010 setup
# For DHCP. I do not think we need this on ops.
#add pass udp from any to any bootps keep-state
# Allow NFS mounts to and from any emulab machines
#
# These next two for lockd, although subsumed by range rule following.
add pass udp from %alltestbed% to me 111 keep-state
add pass udp from %jailnetwork% to me 111 keep-state
add pass udp from %alltestbed% to me 4045 keep-state
add pass udp from %jailnetwork% to me 4045 keep-state
add pass udp from %alltestbed% to me 2049-65535 keep-state
add pass udp from %jailnetwork% to me 2049-65535 keep-state
# Allow IP fragments through due to the default 8k read/write size
add pass ip from any to me frag
add pass ip from me to any frag
# WARNING: This is in the router control set, and allows all udp ports.
# No idea why, there is no comment explaining.
#add pass udp from %alltestbed% to me keep-state
#add pass udp from %jailnetwork% to me keep-state
# Lockd again.
add pass tcp from %alltestbed% to me 111 setup
add pass tcp from %jailnetwork% to me 111 setup
add pass tcp from %alltestbed% to me 2049 setup
add pass tcp from %jailnetwork% to me 2049 setup
# Kirk has helpfully hardwired mountd to these ports on ops
add pass tcp from %alltestbed% to me 900 setup
add pass tcp from %jailnetwork% to me 900 setup
add pass udp from %alltestbed% to me 900 keep-state
add pass udp from %jailnetwork% to me 900 keep-state
# Let nodes talk to the Samba server on ops
add pass tcp from %alltestbed% to me 445 setup
add pass udp from %jailnetwork% to me 445 keep-state
add pass tcp from %alltestbed% to me 139 setup
add pass udp from %jailnetwork% to me 139 keep-state
# Allow ops to be a web server so that we can run a wiki and mailman
add pass tcp from any to me 80 setup
add pass tcp from any to me 443 setup
# Pubsub and old elvin. Maybe get rid of elvin.
add pass tcp from %alltestbed% to me 16505 setup
add pass tcp from %jailnetwork% to me 16505 setup
add pass tcp from %alltestbed% to me 2917 setup
add pass tcp from %jailnetwork% to me 2917 setup
# Allow high ports in but exclude problem ports.
add deny tcp from any to me 2049
add deny tcp from any to me 3306
# Blaster and Slammer
add deny tcp from any to me 4444
add deny tcp from any to me 1434
add pass tcp from any 1024-65535 to me 1024-65535 setup
add deny udp from any to me 2049
add deny udp from any to me 3306
# Blaster and slammer
add deny udp from any to me 4444
add deny udp from any to me 1434
add pass udp from any 1024-65535 to me 1024-65535 keep-state
# Allow ping. Well, all icmp. Problem?
add pass icmp from any to any
# Allow syslog from experimental nodes
add pass udp from %controlnetwork% to me 514 keep-state
add pass udp from %jailnetwork% to me 514 keep-state
# ssh (tcp?) port proxying (Gary)
add pass tcp from any to me 43008-44032 setup
# Boss can do what it wants to me
add pass tcp from boss to me setup
%localrules% ops
# Deny everything else
add deny log ip from any to any
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment