FirewallRules262021-06-05 12:05:21BjörnLindströmLibera chat also allowed252020-08-29 21:13:21ClintonEbadinote that we support tcp and udp now242020-08-22 18:14:56ClintonEbadialthough it would be nice, fwtool doesn't actually support port ranges yet232019-02-28 04:39:18ClintonEbadiupdate server names222016-04-16 20:14:19ClintonEbadifreenode, oftc, mozilla irc networks permitted by default212014-04-25 20:46:42ClintonEbadiother common ports202014-04-23 16:30:25ClintonEbadia bit more guidance on choosing ports192014-02-03 04:08:05hosted-by.leaseweb.com182013-01-31 18:53:38ClintonEbadiopened some ports for everyone / commonly requested rules so far are subsumed by this172013-01-21 08:24:09ClintonEbadiwordpress rule and mention new fwtool162013-01-13 18:24:05ClintonEbadidog152012-12-31 08:20:18ClintonEbadifix irc rule142012-12-31 08:15:18ClintonEbadiports, common rules132012-12-30 22:15:45ClintonEbadiport allocation policy122012-12-08 06:54:46ClintonEbadia few tweaks to bring it up to date112012-09-13 22:45:30ClintonEbadiupdate rule descriptions, still needs work102012-03-26 03:07:10ClintonEbadi92011-04-22 22:57:49ClintonEbadiRevert to revision 6.82011-04-21 17:07:03ip-209-172-62-86.static.privatedns.comQcpP5B <a href="http://wejdwsjvbqcw.com/">wejdwsjvbqcw</a>72011-04-21 15:17:58194.225.238.145Very true! Makes a cnhgae to see someone spell it out like that. :)62011-04-21 05:44:13ClintonEbadiRevert to revision 4.52011-04-21 02:39:09ec2-50-17-110-161.compute-1.amazonaws.comThat's really thinking out of the box. Tahnks!42008-07-07 04:28:05localhostconverted to 1.6 markup32006-06-14 18:27:01slb-proxy-01.boeing.comfile is users.rules, not rules.users22005-10-02 16:23:56AdamChlipalafwtool12005-08-22 08:44:10AdamChlipalaRationaleSince we primarily provide "Internet hosting" and not "shell servers," our primary concern is keeping our services up and reliable. To this end, we try to limit user actions as much as possible without stopping those users from doing reasonable things. One way we enforce this is by disallowing all network traffic that isn't covered by a specific "whitelist" rule in our ferm
firewall configuration. We try to limit connections to particular IP addresses, as well, whenever feasible.Why do this? As an example, we can look at a successful attack performed on our old server. A member's buggy PHP script allowed anyone to run arbitrary code as the PHP user. An attacker used this to obtain shell access, by running a shell server on a nonstandard port; and to connect to an IRC network and serve large media files, costing us hundreds of dollars in transfer fees. The first problem can be prevented by simply not allowing users to listen on ports that they don't have specific permission for. The second one can be prevented by authorizing IRC client connections to particular server IP addresses only. Sure, most of the time no harm will come from allowing unrestricted IRC client connections, but, when it matters, it can be very helpful to block actions that we haven't specifically authorized. fwtoolTo make it easy for us to manage these per-user tools, we've developed an administrative tool called fwtool
. It generates the appropriate ferm
configuration using input from the file /afs/hcoop.net/common/etc/domtool/firewall/user.rules
. The portal has an interface for requesting modifications to this file on your behalf. You should also be able to view this file directly, if curious. At the moment, fwtool
supports these directivesImplicit in each is a `node` argument where the firewall rules are created, but the portal hides this: user Client ports [hosts]
: Allow user
to connect to remote hosts on any of the given ports
, which are specified as a comma-separated list of single port numbers. The space-separated list hosts
is optional. If omitted, connections are allowed to any remote IP addresses. If included, hosts
provides an exhaustive list of the IP addresses and/or hostnames to which to allow connections. user Server ports [hosts]
: The analogue of the above, for the privileges of listening and accepting connections. user ProxiedServer ports
: Allow user
to listen and accept connections on the ports
, but only for connections from the public Apache servers. This is useful for things like running your own web server/application that Apache proxies, which you can configure using mod_proxy
. user LocalServer ports
: Allow user
to listen and accept connections on the ports
, but only for connections from the local server to itself. This is useful if you have software that needs to locally communicate using the network, but does not need to be visible to the Internet. When requesting *Server
rules, ports
must be above 50000
, and you should avoid using ports too close to another member (see AllocatedFirewallPorts for allocated ports). A good rule is requesting ports skipping ten at a time (e.g. if the highest allocated ports were 50001 and 50002, you should request ports starting at 50010). If you have already requested ports, try to keep them near to your other ports if possible. We hope to automate port allocation in the future, and are isolating ad-hoc allocations to the upper range of ports to prevent problems later on. Both TCP and UDP are opened for user firewall rules at this time. The next iteration of fwtool
will allow setting rules for each protocol independently. Common RulesOn shelob
(the web server), outgoing http and https are permitted to all hosts by default. On marsh
(the shell server), outgoing http, https, git, and subversion are permitted to all hosts. mail and xmpp are permitted to the hcoop mail and xmpp hosts. IRC is permitted to the following networks generally (you may request access to additional networks on a personal basis, but we cannot allow access to networks known for any unlawful/shady activity): freenode oftc mozilla Libera.Chat Rules and recipes for common requests: irc networkmarsh USERNAME Client 6667 IRC_NETWORK_HOSTNAME The Next GenerationThe current firewall system is fairly limited and directly ported from what we were using on Fyodor, so it doesn't take advantage of the entire DomTool infrastructure. See FirewallTool for information on the next generation replacement. CategorySystemAdministration CategoryMemberManual