The devil has a name, and it is ''ucc-fw''. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall. <> == Not just a firewall == ''ucc-fw'' is located on [[Murasoi]] in {{{/etc/init.d/}}} and one point it was 700 lines of arcane iptables commands and cryptic comments, responsible for keeping the baddies out, keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things. Luckily it is now largely just a firewall. As suggested by its location, ''ucc-fw'' is initialized at boot and changes can be applied by simply running the script again. The ucc-fw script can be viewed in [[https://gitlab.ucc.asn.au/ucc-configuration/ucc-fw/blob/master/ucc-fw|UCC Gitlab]] with your UCC login. == Overview == The firewall script has several distinct parts. Let's look at them in turn: === [[Murasoi]] firewalling === First up is the incoming firewall for [[Murasoi]] itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it), Iodine and PPTP. Other things are only allowed from UCC or UWA. === Main firewall === This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to. Hosts in $UNFIREWALLED must do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world). Outgoing ports don't need to be unfirewalled. === NATting === Then the NAT occurs. There are a few DNATs for policy purposes, followed by SNATs for the various 172.26.42 networks. == Common Tasks == Most changes to ''ucc-fw'' are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine). === Letting things through === The most common firewall maintenance task you'll come across is also the easiest. Letting a port through is as simple as a couple of well-placed lines. The exact syntax for how to allow a port through to a host is an exercise left for the reader, but in most cases you should be able to copy existing entries and modify them to suit your purposes. 1. Find the part of the script entitled 'Inbound machine specific rules' and create a new rule for your host and port. 2. Save the file. 3. Re-run ucc-fw with `/etc/init.d/ucc-fw`. 4. Save your changes into Git by typing `git add ucc-fw; git commit` and then entering a log message. Have a look at what chordata is doing, as a guide. ---- CategorySystemAdministration