|
Size: 744
Comment:
|
Size: 3080
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Not ready for human consumption, I'll remove this notice and resume work on this article when I get back from SOC - [LAW] ---- The devil has a name, and it is ''ucc-fw''. This article aspires to be a reference manual for the UCC firewall. |
The devil has a name, and it is ''ucc-fw''. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall. <<TableOfContents>> |
| Line 7: | Line 5: |
| ''ucc-fw'' is located on madako in /etc/init.d/ and at time of writing weighs in at nearly 700 lines of arcane iptables commands and cryptic comments, and is responsible for keeping the baddies out. It is also responsible for keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things the reasons for which will become apparent as you become familiar with the way information flows in and out of the club. | ''ucc-fw'' is located on [[Murasoi]] in {{{/etc/init.d/}}} and one point it was 700 lines of arcane iptables commands and cryptic comments, responsible for keeping the baddies out, keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things. Luckily it is now largely just a firewall. As suggested by its location, ''ucc-fw'' is initialized at boot and changes can be applied by simply running the script again. == Overview == The firewall script has several distinct parts. Let's look at them in turn: === [[Murasoi]] firewalling === First up is the incoming firewall for [[Murasoi]] itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it). Other things are only allowed from UCC, UWA or occasionally FREENETs. PPTP connections and SSH are allowed from SNAP, but nothing else. === Main firewall === This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to, and there's two extra targets, FREENETSIN and FREENETSOUT that jump to a long list of free networks stored using ipset. Ports like CIFS, MSSQL are blocked, as is access to machines with vulnerable OSen (like IRIX). Hosts in $UNFIREWALLED can receive charged traffic and do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world) or FREENETSIN (a smaller subsection of the whole world). Outgoing ports don't need to be unfirewalled. === NATting === Then the NAT occurs. There are a few DNATs for policy purposes, followed by SNATs for the various 172.26.42 networks. == Common Tasks == Most changes to ''ucc-fw'' are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine). === Letting things through === The most common firewall maintenance task you'll come across is also the easiest. Letting a port through is as simple as a couple of well-placed lines. The exact syntax for how to allow a port through to a host is an exercise left for the reader, but in most cases you should be able to copy existing entries and modify them to suit your purposes. 1. Find the part of the script entitled 'Inbound machine specific rules' and create a new rule for your host and port. 2. If the host isn't on the machine room network then you'll also need to add a couple of rules to the 'Incoming traffic for unfirewalled IPs' section. Have a look at what marcel and paradise are doing, as a guide. ---- CategorySystemAdministration |
The devil has a name, and it is ucc-fw. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall.
Contents
Not just a firewall
ucc-fw is located on Murasoi in /etc/init.d/ and one point it was 700 lines of arcane iptables commands and cryptic comments, responsible for keeping the baddies out, keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things.
Luckily it is now largely just a firewall.
As suggested by its location, ucc-fw is initialized at boot and changes can be applied by simply running the script again.
Overview
The firewall script has several distinct parts. Let's look at them in turn:
[[Murasoi]] firewalling
First up is the incoming firewall for Murasoi itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it). Other things are only allowed from UCC, UWA or occasionally FREENETs. PPTP connections and SSH are allowed from SNAP, but nothing else.
Main firewall
This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to, and there's two extra targets, FREENETSIN and FREENETSOUT that jump to a long list of free networks stored using ipset. Ports like CIFS, MSSQL are blocked, as is access to machines with vulnerable OSen (like IRIX). Hosts in $UNFIREWALLED can receive charged traffic and do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world) or FREENETSIN (a smaller subsection of the whole world). Outgoing ports don't need to be unfirewalled.
NATting
Then the NAT occurs. There are a few DNATs for policy purposes, followed by SNATs for the various 172.26.42 networks.
Common Tasks
Most changes to ucc-fw are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine).
Letting things through
The most common firewall maintenance task you'll come across is also the easiest. Letting a port through is as simple as a couple of well-placed lines. The exact syntax for how to allow a port through to a host is an exercise left for the reader, but in most cases you should be able to copy existing entries and modify them to suit your purposes.
- Find the part of the script entitled 'Inbound machine specific rules' and create a new rule for your host and port.
- If the host isn't on the machine room network then you'll also need to add a couple of rules to the 'Incoming traffic for unfirewalled IPs' section. Have a look at what marcel and paradise are doing, as a guide.
