/[pdpsoft]/nl.nikhef.ndpf.tools/foundry-tracl/ruleset.example
ViewVC logotype

Annotation of /nl.nikhef.ndpf.tools/foundry-tracl/ruleset.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 21 - (hide annotations) (download)
Mon Aug 11 06:15:56 2008 UTC (14 years, 1 month ago) by davidg
File size: 8835 byte(s)
Foundry ACL translator initial checkin

1 davidg 21 !
2     ! @(#)$Id$
3     !
4     ! ruleset for new deel router
5     !
6     interface interconnect
7     connects 192.16.186.160/29
8     connects 0.0.0.0/0
9     excludes 192.16.186.192/26
10     excludes 194.171.96.0/22
11     excludes 172.16.0.0/12
12     excludes 0.0.0.0/32
13     end
14     interface opninterconnect
15     connects 192.16.186.129/30
16     connects 0.0.0.0/0
17     excludes 192.16.186.192/26
18     excludes 194.171.96.0/25
19     excludes 194.171.97.0/24
20     excludes 194.171.98.0/23
21     excludes 192.16.185.0/24
22     excludes 192.16.186.0/24
23     excludes 192.16.192.0/24
24     excludes 192.16.193.0/24
25     excludes 192.16.194.0/24
26     excludes 192.16.195.0/24
27     excludes 192.16.199.0/24
28     excludes 172.16.0.0/12
29     excludes 0.0.0.0/32
30     end
31     !
32     interface public-comb
33     connects 192.16.186.192/26
34     connects 194.171.97.0/24
35     end
36     !
37     interface public-sec
38     connects 192.16.186.192/26
39     end
40     interface public-grid
41     connects 194.171.97.0/24
42     end
43     interface ipmi
44     connects 172.20.0.0/16
45     end
46     interface nordic
47     connects 194.171.96.32/27
48     end
49     interface vobox
50     connects 194.171.96.0/28
51     end
52     interface farmnet
53     connects 194.171.98.0/23
54     end
55     interface p4ctb
56     connects 194.171.96.16/28
57     connects 10.0.0.0/8
58     end
59     interface gridsrv
60     connects 194.171.96.64/28
61     end
62     !
63     !
64     stanza dhcp-server
65     permit udp host 0.0.0.0 eq bootpc host 0.0.0.0
66     permit udp host 0.0.0.0 eq bootpc host $host eq bootps
67     permit udp $sourcenet eq bootpc host $host eq bootps
68     end
69     stanza tftp-server
70     permit udp $sourcenet gt 1023 host $host eq tftp
71     permit udp $sourcenet gt 1023 host $host gt 1023
72     permit udp host $host gt 1023 $sourcenet gt 1023
73     end
74     stanza vpnhost 194.171.97.13/32
75     end
76     stanza permit-from-gridnodes
77     permit $proto 192.16.186.192/26 $target
78     permit $proto 194.171.96.128/25 $target
79     permit $proto 194.171.97.0/24 $target
80     permit $proto 194.171.98.0/23 $target
81     end
82     stanza deny-from-gridnodes
83     deny $proto 192.16.186.192/26 $target
84     deny $proto 194.171.97.0/24 $target
85     deny $proto 194.171.98.0/23 $target
86     end
87     stanza permit-from-nikhef
88     permit $proto 192.16.185.0/24 $target
89     permit $proto 192.16.186.0/25 $target
90     permit $proto 192.16.192.0/24 $target
91     permit $proto 192.16.194.0/24 $target
92     permit $proto 192.16.195.0/24 $target
93     permit $proto 192.16.199.0/24 $target
94     permit $proto $vpnhost() $target
95     end
96     stanza permit-nfs-server
97     ! assuming you setup NFS servers with stat,lock,mount,rquotad fixed
98     permit tcp $srcnet $dest eq 111
99     permit udp $srcnet $dest eq 111
100     permit tcp $srcnet $dest eq 2049
101     permit udp $srcnet $dest eq 2049
102     permit tcp $srcnet $dest range 4001 4004
103     permit udp $srcnet $dest range 4001 4004
104     end
105     stanza permit-dns-server
106     ! needs outbound udp to any port to support anaconda DNS resolution
107     permit udp any gt 1023 $dest eq dns
108     permit udp any $dest eq dns
109     permit tcp any $dest eq dns
110     end
111     stanza permit-webserver
112     permit tcp $src $dest eq http
113     permit tcp $src $dest eq ssl
114     end
115     !
116     !
117     !
118     ruleset
119     ! always allow established connections and filter localdomain
120     permit tcp any any established
121     deny ip 127.0.0.0/8 any
122     deny ip any 127.0.0.0/8
123     !
124     ! The nordic experimental LAN get all traffic
125     permit ip any 194.171.96.32/27
126     ! The P4 CTB hosts 10/8 space we dont want to leak out
127     deny ip 10.0.0.0/8 any
128     !
129     ! management access (IPMI) to and from VPN, stal and beerput,
130     ! but nowhere else
131     permit ip $vpnhost() any
132     permit ip 172.20.0.0/16 $vpnhost()
133     permit ip 172.20.0.0/16 192.16.192.220/32
134     permit ip 192.16.186.220/32 172.20.0.0/16
135     permit ip 194.171.96.69/32 172.20.0.0/16
136     permit ip 172.20.0.0/16 194.171.96.69/32
137     deny ip any 172.16.0.0/12
138     ! allow access to the console switches also from marginal networks
139     ! and permit to DRCS systems
140     $permit-from-nikhef(proto=ip,target=192.16.186.208/32)
141     $permit-from-nikhef(proto=ip,target=192.16.186.211/32)
142     $permit-from-nikhef(proto=ip,target=194.171.99.250/32)
143     $permit-from-nikhef(proto=ip,target=194.171.99.251/32)
144     !
145     ! DHCP server from relay agent and TFTP for pxe and saving configs
146     ! from the relays of deel and for the public-grid network,
147     ! worker node nets and the Class-1 VO box and the OPN
148     ! from deel itself to beerput
149     permit udp any eq bootpc host 255.255.255.255 eq bootps
150     $dhcp-server(host=192.16.186.220,sourcenet=192.16.186.254/32)
151     $tftp-server(host=192.16.186.220,sourcenet=194.171.97.0/24)
152     $tftp-server(host=192.16.186.220,sourcenet=194.171.98.0/23)
153     $tftp-server(host=192.16.186.220,sourcenet=194.171.96.0/28)
154     $tftp-server(host=192.16.186.220,sourcenet=194.171.96.128/25)
155     $dhcp-server(host=194.171.96.69,sourcenet=194.171.96.78/32)
156     $tftp-server(host=194.171.96.69,sourcenet=194.171.96.78/32)
157     !
158     ! NFS servers hooimijt, hoeve/schuur, vlaai (hooimijt+vlaai: ++OPN)
159     !
160     $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.246/31)
161     $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.248/32)
162     $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.202/32)
163     $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.246/31)
164     $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.248/32)
165     $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.202/32)
166     $permit-nfs-server(srcnet=194.171.96.128/25,dest=192.16.186.248/32)
167     $permit-nfs-server(srcnet=194.171.96.128/25,dest=192.16.186.202/32)
168     deny tcp any any eq 2049
169     deny udp any any eq 2049
170     deny tcp any any eq 111
171     deny udp any any eq 111
172     !
173     ! HTTP and SSL servers on gridsrv are accessible from anywhere
174     $permit-webserver(src=any,dest=194.171.96.64/28)
175     permit tcp any 194.171.96.64/28 eq ldap
176     permit tcp any 194.171.96.64/28 eq 636
177     permit tcp any 194.171.96.64/28 eq 873
178     permit tcp any 194.171.96.64/28 eq 11371
179     !
180     ! allow ADSM from SARA
181     permit tcp 145.100.20.0/24 194.171.96.69/32 eq 1503
182     permit tcp 145.100.20.0/24 192.16.186.248/32 eq 1503
183     !
184     ! permit logging to boes from our nodes
185     permit udp 194.171.96.0/22 192.16.186.207/32 eq 514
186     permit udp 192.16.186.192/26 192.16.186.207/32 eq 514
187     !
188     ! oscars kuiken gets all traffic above 1023
189     permit tcp any 194.171.96.77/32 gt 1023
190     permit tcp any 194.171.96.72/32 gt 1023
191     !
192     ! services in the public-sec network for installation/DNS/NTP/Quattor HTTP
193     ! stal from public-sec, vobox, opn, public-grid, farmnet
194     $permit-dns-server(dest=192.16.186.248/32)
195     $permit-dns-server(dest=192.16.186.253/32)
196     $permit-dns-server(dest=192.16.186.210/32)
197     $permit-webserver(src=192.16.186.192/26,dest=192.16.186.220/32)
198     $permit-webserver(src=194.171.96.0/28,dest=192.16.186.220/32)
199     $permit-webserver(src=194.171.96.128/25,dest=192.16.186.220/32)
200     $permit-webserver(src=194.171.97.0/24,dest=192.16.186.220/32)
201     $permit-webserver(src=194.171.98.0/23,dest=192.16.186.220/32)
202     $permit-from-nikhef(proto=tcp,target=192.16.186.220/32 eq http)
203     $permit-from-nikhef(proto=tcp,target=192.16.186.220/32 eq ssl)
204     !
205     $permit-from-gridnodes(proto=tcp,target=192.16.186.192/26 eq ldap)
206     $permit-from-gridnodes(proto=tcp,target=192.16.186.192/26 eq 636)
207     !
208     ! access to Torque/Maui from grid nodes and WNs (only)
209     ! BUT the Torque/Maui server should still move!
210     $permit-from-gridnodes(proto=tcp,target=194.171.97.12/32 gt 1023)
211     deny tcp any 194.171.97.12/32 gt 1023
212     !
213     ! access to riek for nagios and trog for ganglia and tbn13 for SMS
214     !
215     $permit-webserver(src=any,dest=192.16.186.223/32)
216     $permit-webserver(src=any,dest=192.16.186.253/32)
217     $permit-webserver(src=any,dest=192.16.186.238/32)
218     !
219     ! shell access
220     ! from all Nikhef desktops and laptops ssh, ldap, ldaps
221     ! from the whole world to the gridsrv network
222     ! from the whole world access to bosui
223     !
224     $permit-from-nikhef(proto=tcp,target=any eq ssh)
225     $permit-from-nikhef(proto=tcp,target=any eq ldap)
226     $permit-from-nikhef(proto=tcp,target=any eq 636)
227     permit tcp any 194.171.96.64/28 eq ssh
228     permit tcp any 192.16.186.212/32 eq ssh
229     !
230     ! MySQL and other databases
231     ! from: OPN (tbn18 and pool nodes) ; grid services; public-sec
232     ! but from nowhere else
233     permit tcp 194.171.96.128/25 192.16.186.192/26 eq 3306
234     permit tcp 194.171.97.0/24 192.16.186.192/26 eq 3306
235     permit tcp 192.16.186.192/26 192.16.186.192/26 eq 3306
236     deny tcp any any eq 3306
237     !
238     !
239     ! Who should be 'open' to the world for MW to work:
240     ! to the grid services above 1024
241     permit tcp any 194.171.97.0/24 gt 1023
242     permit udp any 194.171.97.0/24 gt 1023
243     ! and to public-sec until we moved all services to the right network
244     permit tcp any 192.16.186.192/26 gt 1023
245     permit udp any 192.16.186.192/26 gt 1023
246     ! and the Class1 VO box network for gsissh (1917) and over 1023
247     permit tcp any 194.171.96.0/28 gt 1023
248     !
249     ! block all remaining traffic to our subnets
250     deny ip any 194.171.96.0/22
251     deny ip any 192.16.186.192/26
252     deny ip any 192.16.186.160/29
253     deny ip any 192.16.186.129/30
254     ! and allow the rest (outbound to the rest of the world)
255     permit ip any any
256     end
257     !
258     !
259     end
260    

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28