<> == Rationale == Since we primarily provide "Internet hosting" and not "shell servers," our primary concern is keeping our services up and reliable. To this end, we try to limit user actions as much as possible without stopping those users from doing reasonable things. One way we enforce this is by disallowing all network traffic that isn't covered by a specific "whitelist" rule in our {{{ferm}}} firewall configuration. We try to limit connections to particular IP addresses, as well, whenever feasible.<> == fwtool == To make it easy for us to manage these per-user tools, we've developed an administrative tool called {{{fwtool}}}. It generates the appropriate {{{ferm}}} configuration using input from the file {{{/afs/hcoop.net/common/etc/domtool/firewall/users.rules}}}. The portal has [[https://members.hcoop.net/portal/sec|an interface for requesting modifications to this file]] on your behalf. You should also be able to view this file directly, if curious. At the moment, {{{fwtool}}} supports these directives<>: * {{{user Client ports [hosts]}}}: Allow {{{user}}} to connect to remote hosts on any of the given {{{ports}}}, which are specified as a comma-separated list of single port numbers and/or ranges of the form {{{low:high}}}. The space-separated list {{{hosts}}} is optional. If omitted, connections are allowed to any remote IP addresses. If included, {{{hosts}}} provides an exhaustive list of the IP addresses and/or hostnames to which to allow connections. * {{{user Server ports [hosts]}}}: The analogue of the above, for the privileges of listening and accepting connections. * {{{user ProxiedServer ports}}}: Allow {{{user}}} to listen and accept connections on the {{{ports}}}, but only for connections from the public Apache servers. This is useful for things like running your own web server/application that Apache proxies, which you can configure using `mod_proxy`. * {{{user LocalServer ports}}}: Allow {{{user}}} to listen and accept connections on the {{{ports}}}, but only for connections from the local server to itself. This is useful if you have software that needs to locally communicate using the network, but does not need to be visible to the Internet. When requesting `*Server` rules, `ports` must be above `50000`, and you should try avoiding using ports too close to another member (see AllocatedFirewallPorts for allocated ports). We hope to automate port allocation in the future, and are isolating ad-hoc allocations to the upper range of ports to prevent problems later on. == Common Rules == Rules and recipes for rules that are commonly requested. * IRC to freenode, both insecure and with tls: `Client 6667,6697 chat.freenode.net` * The World Wide Web: `Client 80,443` ---- CategorySystemAdministration