/[pdpsoft]/nl.nikhef.ndpf.tools/foundry-tracl/ruleset.example
ViewVC logotype

Contents of /nl.nikhef.ndpf.tools/foundry-tracl/ruleset.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 21 - (show annotations) (download)
Mon Aug 11 06:15:56 2008 UTC (14 years, 1 month ago) by davidg
File size: 8835 byte(s)
Foundry ACL translator initial checkin

1 !
2 ! @(#)$Id$
3 !
4 ! ruleset for new deel router
5 !
6 interface interconnect
7 connects 192.16.186.160/29
8 connects 0.0.0.0/0
9 excludes 192.16.186.192/26
10 excludes 194.171.96.0/22
11 excludes 172.16.0.0/12
12 excludes 0.0.0.0/32
13 end
14 interface opninterconnect
15 connects 192.16.186.129/30
16 connects 0.0.0.0/0
17 excludes 192.16.186.192/26
18 excludes 194.171.96.0/25
19 excludes 194.171.97.0/24
20 excludes 194.171.98.0/23
21 excludes 192.16.185.0/24
22 excludes 192.16.186.0/24
23 excludes 192.16.192.0/24
24 excludes 192.16.193.0/24
25 excludes 192.16.194.0/24
26 excludes 192.16.195.0/24
27 excludes 192.16.199.0/24
28 excludes 172.16.0.0/12
29 excludes 0.0.0.0/32
30 end
31 !
32 interface public-comb
33 connects 192.16.186.192/26
34 connects 194.171.97.0/24
35 end
36 !
37 interface public-sec
38 connects 192.16.186.192/26
39 end
40 interface public-grid
41 connects 194.171.97.0/24
42 end
43 interface ipmi
44 connects 172.20.0.0/16
45 end
46 interface nordic
47 connects 194.171.96.32/27
48 end
49 interface vobox
50 connects 194.171.96.0/28
51 end
52 interface farmnet
53 connects 194.171.98.0/23
54 end
55 interface p4ctb
56 connects 194.171.96.16/28
57 connects 10.0.0.0/8
58 end
59 interface gridsrv
60 connects 194.171.96.64/28
61 end
62 !
63 !
64 stanza dhcp-server
65 permit udp host 0.0.0.0 eq bootpc host 0.0.0.0
66 permit udp host 0.0.0.0 eq bootpc host $host eq bootps
67 permit udp $sourcenet eq bootpc host $host eq bootps
68 end
69 stanza tftp-server
70 permit udp $sourcenet gt 1023 host $host eq tftp
71 permit udp $sourcenet gt 1023 host $host gt 1023
72 permit udp host $host gt 1023 $sourcenet gt 1023
73 end
74 stanza vpnhost 194.171.97.13/32
75 end
76 stanza permit-from-gridnodes
77 permit $proto 192.16.186.192/26 $target
78 permit $proto 194.171.96.128/25 $target
79 permit $proto 194.171.97.0/24 $target
80 permit $proto 194.171.98.0/23 $target
81 end
82 stanza deny-from-gridnodes
83 deny $proto 192.16.186.192/26 $target
84 deny $proto 194.171.97.0/24 $target
85 deny $proto 194.171.98.0/23 $target
86 end
87 stanza permit-from-nikhef
88 permit $proto 192.16.185.0/24 $target
89 permit $proto 192.16.186.0/25 $target
90 permit $proto 192.16.192.0/24 $target
91 permit $proto 192.16.194.0/24 $target
92 permit $proto 192.16.195.0/24 $target
93 permit $proto 192.16.199.0/24 $target
94 permit $proto $vpnhost() $target
95 end
96 stanza permit-nfs-server
97 ! assuming you setup NFS servers with stat,lock,mount,rquotad fixed
98 permit tcp $srcnet $dest eq 111
99 permit udp $srcnet $dest eq 111
100 permit tcp $srcnet $dest eq 2049
101 permit udp $srcnet $dest eq 2049
102 permit tcp $srcnet $dest range 4001 4004
103 permit udp $srcnet $dest range 4001 4004
104 end
105 stanza permit-dns-server
106 ! needs outbound udp to any port to support anaconda DNS resolution
107 permit udp any gt 1023 $dest eq dns
108 permit udp any $dest eq dns
109 permit tcp any $dest eq dns
110 end
111 stanza permit-webserver
112 permit tcp $src $dest eq http
113 permit tcp $src $dest eq ssl
114 end
115 !
116 !
117 !
118 ruleset
119 ! always allow established connections and filter localdomain
120 permit tcp any any established
121 deny ip 127.0.0.0/8 any
122 deny ip any 127.0.0.0/8
123 !
124 ! The nordic experimental LAN get all traffic
125 permit ip any 194.171.96.32/27
126 ! The P4 CTB hosts 10/8 space we dont want to leak out
127 deny ip 10.0.0.0/8 any
128 !
129 ! management access (IPMI) to and from VPN, stal and beerput,
130 ! but nowhere else
131 permit ip $vpnhost() any
132 permit ip 172.20.0.0/16 $vpnhost()
133 permit ip 172.20.0.0/16 192.16.192.220/32
134 permit ip 192.16.186.220/32 172.20.0.0/16
135 permit ip 194.171.96.69/32 172.20.0.0/16
136 permit ip 172.20.0.0/16 194.171.96.69/32
137 deny ip any 172.16.0.0/12
138 ! allow access to the console switches also from marginal networks
139 ! and permit to DRCS systems
140 $permit-from-nikhef(proto=ip,target=192.16.186.208/32)
141 $permit-from-nikhef(proto=ip,target=192.16.186.211/32)
142 $permit-from-nikhef(proto=ip,target=194.171.99.250/32)
143 $permit-from-nikhef(proto=ip,target=194.171.99.251/32)
144 !
145 ! DHCP server from relay agent and TFTP for pxe and saving configs
146 ! from the relays of deel and for the public-grid network,
147 ! worker node nets and the Class-1 VO box and the OPN
148 ! from deel itself to beerput
149 permit udp any eq bootpc host 255.255.255.255 eq bootps
150 $dhcp-server(host=192.16.186.220,sourcenet=192.16.186.254/32)
151 $tftp-server(host=192.16.186.220,sourcenet=194.171.97.0/24)
152 $tftp-server(host=192.16.186.220,sourcenet=194.171.98.0/23)
153 $tftp-server(host=192.16.186.220,sourcenet=194.171.96.0/28)
154 $tftp-server(host=192.16.186.220,sourcenet=194.171.96.128/25)
155 $dhcp-server(host=194.171.96.69,sourcenet=194.171.96.78/32)
156 $tftp-server(host=194.171.96.69,sourcenet=194.171.96.78/32)
157 !
158 ! NFS servers hooimijt, hoeve/schuur, vlaai (hooimijt+vlaai: ++OPN)
159 !
160 $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.246/31)
161 $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.248/32)
162 $permit-nfs-server(srcnet=194.171.97.0/24,dest=192.16.186.202/32)
163 $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.246/31)
164 $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.248/32)
165 $permit-nfs-server(srcnet=194.171.98.0/23,dest=192.16.186.202/32)
166 $permit-nfs-server(srcnet=194.171.96.128/25,dest=192.16.186.248/32)
167 $permit-nfs-server(srcnet=194.171.96.128/25,dest=192.16.186.202/32)
168 deny tcp any any eq 2049
169 deny udp any any eq 2049
170 deny tcp any any eq 111
171 deny udp any any eq 111
172 !
173 ! HTTP and SSL servers on gridsrv are accessible from anywhere
174 $permit-webserver(src=any,dest=194.171.96.64/28)
175 permit tcp any 194.171.96.64/28 eq ldap
176 permit tcp any 194.171.96.64/28 eq 636
177 permit tcp any 194.171.96.64/28 eq 873
178 permit tcp any 194.171.96.64/28 eq 11371
179 !
180 ! allow ADSM from SARA
181 permit tcp 145.100.20.0/24 194.171.96.69/32 eq 1503
182 permit tcp 145.100.20.0/24 192.16.186.248/32 eq 1503
183 !
184 ! permit logging to boes from our nodes
185 permit udp 194.171.96.0/22 192.16.186.207/32 eq 514
186 permit udp 192.16.186.192/26 192.16.186.207/32 eq 514
187 !
188 ! oscars kuiken gets all traffic above 1023
189 permit tcp any 194.171.96.77/32 gt 1023
190 permit tcp any 194.171.96.72/32 gt 1023
191 !
192 ! services in the public-sec network for installation/DNS/NTP/Quattor HTTP
193 ! stal from public-sec, vobox, opn, public-grid, farmnet
194 $permit-dns-server(dest=192.16.186.248/32)
195 $permit-dns-server(dest=192.16.186.253/32)
196 $permit-dns-server(dest=192.16.186.210/32)
197 $permit-webserver(src=192.16.186.192/26,dest=192.16.186.220/32)
198 $permit-webserver(src=194.171.96.0/28,dest=192.16.186.220/32)
199 $permit-webserver(src=194.171.96.128/25,dest=192.16.186.220/32)
200 $permit-webserver(src=194.171.97.0/24,dest=192.16.186.220/32)
201 $permit-webserver(src=194.171.98.0/23,dest=192.16.186.220/32)
202 $permit-from-nikhef(proto=tcp,target=192.16.186.220/32 eq http)
203 $permit-from-nikhef(proto=tcp,target=192.16.186.220/32 eq ssl)
204 !
205 $permit-from-gridnodes(proto=tcp,target=192.16.186.192/26 eq ldap)
206 $permit-from-gridnodes(proto=tcp,target=192.16.186.192/26 eq 636)
207 !
208 ! access to Torque/Maui from grid nodes and WNs (only)
209 ! BUT the Torque/Maui server should still move!
210 $permit-from-gridnodes(proto=tcp,target=194.171.97.12/32 gt 1023)
211 deny tcp any 194.171.97.12/32 gt 1023
212 !
213 ! access to riek for nagios and trog for ganglia and tbn13 for SMS
214 !
215 $permit-webserver(src=any,dest=192.16.186.223/32)
216 $permit-webserver(src=any,dest=192.16.186.253/32)
217 $permit-webserver(src=any,dest=192.16.186.238/32)
218 !
219 ! shell access
220 ! from all Nikhef desktops and laptops ssh, ldap, ldaps
221 ! from the whole world to the gridsrv network
222 ! from the whole world access to bosui
223 !
224 $permit-from-nikhef(proto=tcp,target=any eq ssh)
225 $permit-from-nikhef(proto=tcp,target=any eq ldap)
226 $permit-from-nikhef(proto=tcp,target=any eq 636)
227 permit tcp any 194.171.96.64/28 eq ssh
228 permit tcp any 192.16.186.212/32 eq ssh
229 !
230 ! MySQL and other databases
231 ! from: OPN (tbn18 and pool nodes) ; grid services; public-sec
232 ! but from nowhere else
233 permit tcp 194.171.96.128/25 192.16.186.192/26 eq 3306
234 permit tcp 194.171.97.0/24 192.16.186.192/26 eq 3306
235 permit tcp 192.16.186.192/26 192.16.186.192/26 eq 3306
236 deny tcp any any eq 3306
237 !
238 !
239 ! Who should be 'open' to the world for MW to work:
240 ! to the grid services above 1024
241 permit tcp any 194.171.97.0/24 gt 1023
242 permit udp any 194.171.97.0/24 gt 1023
243 ! and to public-sec until we moved all services to the right network
244 permit tcp any 192.16.186.192/26 gt 1023
245 permit udp any 192.16.186.192/26 gt 1023
246 ! and the Class1 VO box network for gsissh (1917) and over 1023
247 permit tcp any 194.171.96.0/28 gt 1023
248 !
249 ! block all remaining traffic to our subnets
250 deny ip any 194.171.96.0/22
251 deny ip any 192.16.186.192/26
252 deny ip any 192.16.186.160/29
253 deny ip any 192.16.186.129/30
254 ! and allow the rest (outbound to the rest of the world)
255 permit ip any any
256 end
257 !
258 !
259 end
260

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28