sun-cluster.isba

     File: /home/pierre/isba/dev/samples/sun-cluster.isba
     Date: Sun Nov 18 07:06:29 MET 2001
     User: pierre


Ipf rules

  #   Action Opts Intf From To Service Misc Group Comment
  sun-cluster.isba: ruleset for a 2-nodes Sun Cluster: nickel and chrome
 #include-objects include/all-hosts
  LOCALHOST TRAFFIC AND GENERAL RULES
1pass outquicklo0     
local processes: let all pass
2pass inquicklo0     
 
3block inlog body
quick
    with ipopts 
block all packets with IP options
4block inlog body
quick
    with short 
block too shorts packets
5block inquick   polluting-ports  
to avoid log pollution
  PUBLIC INTERFACES: INBOUND TRAFFIC (group 10)
6block inlogifpubs    head 10
inbound traffic on public interface:
default block
7block inlog
quick
 spoofed-addr   group 10
anti-spoofing
8pass inlog first
quick
  all-clust-ipsshflags S
keep state
keep frags
group 10
SSH serveur
9pass inquick allow-ftp-fromall-clust-ipftp
wu-pasv
flags S
keep state
keep frags
group 10
ftp:     active FTP server, 1/2
wu-pasv: passive FTP serveur (port data)
         and configure wu-ftpd
10pass inquick allow-www-fromall-clust-ipwwwflags S
keep state
keep frags
group 10
WWW servers
11pass inquick allow-www-fromall-clust-ipwww-adminflags S
keep state
keep frags
group 10
Netscape admin server
12pass inquick  isissybase group 10
Sybase server
  
13pass inquick servers-ripmulticastroute group 10
RIP
14pass inquick hispubipmulticasticmp-ping group 10
 
15pass inlog
quick
   proto-2 group 10
entree protocole 2 (RIP?)
16pass inquick  all-clust-ipicmp-ping group 10
ping, ping-reply: allowed
(no logging)
17pass inlog
quick
  all-clust-ipicmp-other group 10
time exceeded, unreachable:
allowed (with logging)
  
18pass inlog
quick
 hispubipmypubipsunrpckeep stategroup 10
let RPC in from the other node
(scconf/logical host declarations)
19pass inquick hispubipmypubipscmgr group 10
java application: ClusterManager
20pass inquick hispubipmypubip srcport scmgrgroup 10
java application: ClusterManager
21pass inquick hispubipmypubiptcp-high-ports group 10
open TCP high ports in
from the other node
22pass inquick servers-smtplyrissmtpflags S
keep state
keep frags
group 10
smtp for Lyris
mailing list
23pass inquick patrol-hostsall-clust-ippatrol group 10
Patrol communications
  
24block inquick  dmz1-serversroute group 10
don't return a 'port-unr' packet
to a poor guy asking for a route
25block in
return-icmp
log
quick
   proto-udp group 10
other UDP ports: return a 'port unreachable'
packet to avoid a timeout
26block in
return-rst
log
quick
   proto-tcpflags Sgroup 10
other TCP ports: return a Reset packet
to avoid a timeout
  PUBLIC INTERFACES: OUTBOUND TRAFFIC (group 20)
27block outlogifpubs    head 20
default block
28pass outlog first
quick
   sshflags S
keep state
keep frags
group 20
SSH client
29pass outquick  servers-dnsdns-tcpflags S
keep state
keep frags
group 20
DNS/tcp client
30pass outquick  servers-dnsdns-udpkeep stategroup 20
DNS/udp client
31pass outquick   wwwflags S
keep state
keep frags
group 20
HTTP client
32pass outlog first
quick
  servers-smtpsmtpflags S
keep state
keep frags
group 20
sendmail client
33pass outquick  servers-ntpntpkeep stategroup 20
NTP client
34pass outlog first
quick
  servers-adsmadsmflags S
keep state
keep frags
group 20
ADSM backup client
35pass outlog first
quick
  allow-X11-toX11flags S
keep state
keep frags
group 20
uncrypted X11 client
36pass outquick   ftpflags S
keep state
keep frags
group 20
FTP client: passive ftp 1/1,
and active ftp 1/2
(see NAT for the 2/2)
37pass outquick    srcport ftp-data
flags S
keep state
keep frags
group 20
active FTP serveur 2/2:
open port 20 outbound
38pass outquick isis  srcport sybasegroup 20
Sybase server
39pass outquick  patrol-hostspatrol group 20
Patrol communications
40pass outquick  intdns1162 group 20
 
  
41pass outquick    srcport routegroup 20
RIP
42pass outlog
quick
   proto-2 group 20
let protocol 2 out (gated)
43pass outquick   icmp-ping group 20
ping, ping-reply: ok (no logging)
44pass outlog
quick
   icmp-other group 20
time exceeded, unreachable: ok
(with logging)
45pass outquick mypubiphispubipsunrpckeep stategroup 20
let RPC out to other node
(scconf/logical host declarations)
46pass outquick mypubiphispubipscmgr group 20
java application: ClusterManager
47pass outquick mypubiphispubip srcport scmgrgroup 20
java application: ClusterManager
48pass outquick mypubiphispubiptcp-high-ports group 20
open high ports out to other node
49pass outlog
quick
    flags R/Rgroup 20
let Reset packets out
(for denied TCP connections)
  PRIVATE INTERFACES: INBOUND TRAFFIC (group 30)
50block inlogifprivs    head 30
default block
51pass inquick hisprivipmyprivipsunrpckeep stategroup 30
let RPC in
52pass inquick hisprivipmyprivipsmad group 30
let UDP/603 in (smad)
53pass inlog first
quick
 hisprivipmyprivipclust-rec group 30
these ports are used during
a cluster reconfiguration
54pass inlog first
quick
 hisprivipmyprivip srcport clust-recgroup 30
these ports are used during
a cluster reconfiguration
55pass inquick hisprivipmyprivipscmgr group 30
java application: ClusterManager
56pass inquick hisprivipmyprivip srcport scmgrgroup 30
java application: ClusterManager
57pass inquick hisprivipmypriviptcp-high-ports group 30
open high ports out to other node
 in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running
58pass inquick hisprivipmyprivipicmp-ping group 30
ping, ping-reply: autorises
  PRIVATE INTERFACES: OUTBOUND TRAFFIC (group 40)
59block outlogifprivs    head 40
default block
60pass outquick mypriviphisprivipsunrpckeep stategroup 40
let RPC out
61pass outquick mypriviphisprivipsmad group 40
let UDP/603 out (smad)
62pass outlog first
quick
 mypriviphisprivipclust-rec group 40
these ports are used during
a cluster reconfiguration
63pass outlog first
quick
 mypriviphisprivip srcport clust-recgroup 40
these ports are used during
a cluster reconfiguration
64pass outquick mypriviphisprivipscmgr group 40
java application: ClusterManager
65pass outquick mypriviphisprivip srcport scmgrgroup 40
java application: ClusterManager
66pass outquick mypriviphispriviptcp-high-ports group 40
open high ports out to other node
 in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running
67pass outquick mypriviphisprivipicmp-ping group 40
ping and reply allowed
  Warning: this ruleset is only a sample ... don't use it!



Nat rules

  #   Action Intf Original
From
Original
To
Original
Service
 ->  Translated
Address
Translated
Service
Range Comment
  sun-cluster.isba: NAT rules
1mapifpub10/0  ->0/32proxy port ftp
ftp/tcp
 
FTP client: active ftp 2/2
(accept port 20 inbound connection)
on main interface
2mapifpub20/0  ->0/32proxy port ftp
ftp/tcp
 
FTP client: active ftp 2/2
(accept port 20 inbound connection)
on backup interface



Hosts/Nets

  #  NameValueCommentIncluded from
1 0/0for Nat: specifies any original address 
2 0/32for Nat: specifies current IP address 
3admhost1192.170.1.2DMZ3: admin host1dmz3-admin
4admhost2192.170.1.8DMZ3: PC Jeandmz3-admin
5admhost3192.170.1.9DMZ3: PC Fredericdmz3-admin
6admhost4192.170.1.7DMZ3: PC Denisdmz3-admin
7admhost5192.170.1.4DMZ3: PC Pierredmz3-admin
8admhost6192.170.1.1DMZ3: admin host2dmz3-admin
9admhost7192.170.1.10DMZ3: PC Christophedmz3-admin
10admhost8192.170.1.6DMZ3: PC Stephanedmz3-admin
11admhost9192.170.1.5DMZ3: Sun Cluster admin hostdmz3-admin
12admhostss1192.170.1.25DMZ3: ssadmin host1dmz3-admin
13admhostss2192.170.1.26DMZ3: ssadmin host2dmz3-admin
14adsm1192.170.1.3DMZ3: ADSM backup serverdmz3-admin
15akhenaton200.201.156.239www.akhenaton.comdmz1-nt-servers
16all-clust-ipnickel
chrome
argon-lhost
helium-lhost
all cluster IP addresses 
17allow-X11-todmz3-adminlet X11 out to these machines only 
18allow-ftp-fromdmz3-admin
hispubip
fw1s
fw3s
accept inbound FTP from these machines only 
19allow-www-fromanyaccept inbound HTTP from these machines only 
20amazone200.201.156.141DMZ1: www.nestor.comdmz1-unix-servers
21antares200.201.2.245Workstation Manulan-csd-sys
22anubis200.201.156.245www.anubis.comdmz1-nt-servers
23argon200.201.156.132DMZ1: web server on clusterdmz1-unix-servers
24argon-lhostargon
dfe
argon-trav
europe-trav
europe
DMZ1: argon logical host IP addressesdmz1-unix-servers
25argon-trav200.201.156.144DMZ1: web server on clusterdmz1-unix-servers
26becerede1200.201.156.135
200.201.156.138
200.201.156.139
159.156.156.140
Many web serversdmz1-nt-servers
27broadcast-24255.255.255.0 all-hosts
28broadcast-32255.255.255.255 all-hosts
29charybde200.201.156.252DMZ1: AGE www.charybde.comdmz1-unix-servers
30chrome200.201.156.250DMZ1: Sun cluster node 2dmz1-unix-servers
31chrome-priv204.152.65.2
204.152.65.18
204.152.65.34
chrome private network IP addresses 
32cluster1192.170.14.11Test Sun clusterlan-csd-sys
33cluster2192.170.14.12Test sun clusterlan-csd-sys
34dfe200.201.156.133DMZ1: web server on clusterdmz1-unix-servers
35dmz1-servers200.201.156.128/25Servers DMZdmz1-unix-servers
36dmz3-admin192.170.1.0/27DMZ3: admin hostsdmz3-admin
37dmz32-relays200.201.156.16/28Relays DMZdmz32-relays
38esnts1192.170.14.13Network Terminal Server 1 - test clusterlan-csd-sys
39esnts2192.170.14.14Network Terminal Server 2 - test clusterlan-csd-sys
40europe200.201.156.147DMZ1: europe web server on clusterdmz1-unix-servers
41europe-trav200.201.156.145DMZ1: europe-trav web server on clusterdmz1-unix-servers
42extradf200.201.156.251www.extradf.comdmz1-nt-servers
43fw-internet-sfw1s
fw3s
Internet firewalls - servers DMZdmz-firewalls
44fw1a192.170.1.11firewall1, admin DMZdmz-firewalls
45fw1e200.201.156.2firewall1, internet sidedmz-firewalls
46fw1i200.201.127.65firewall1, internal sidedmz-firewalls
47fw1r200.201.156.17firewall1, relays DMZ sidedmz-firewalls
48fw1s200.201.156.129firewall1, servers DMZ sidedmz-firewalls
49fw2a192.170.1.12firewall2, admin DMZdmz-firewalls
50fw2e200.201.152.2firewall2, out sidedmz-firewalls
51fw2i200.201.157.6firewall2, internal sidedmz-firewalls
52fw2r200.201.152.81firewall2, relays DMZ sidedmz-firewalls
53fw3a192.170.1.13firewall3, admin DMZdmz-firewalls
54fw3e200.201.156.10firewall3, internet sidedmz-firewalls
55fw3i200.201.157.10firewall3, internal sidedmz-firewalls
56fw3r200.201.156.30firewall3, relays DMZ sidedmz-firewalls
57fw3s200.201.156.254firewall3, servers DMZ sidedmz-firewalls
58fw4a192.170.1.14firewall4, admin DMZdmz-firewalls
59fw4e200.201.152.14firewall4, out sidedmz-firewalls
60fw4i200.201.157.18firewall4, internal sidedmz-firewalls
61fw4r200.201.152.94firewall4, relays DMZ sidedmz-firewalls
62helium-lhostisisDMZ1: logical host helium on clusterdmz1-unix-servers
63hisprivip#if-target(nickel,
chrome-priv,
nickel-priv)
Other cluster node private addresses 
64hispubip#if-target(nickel,
chrome,
nickel)
Public IP address of the other node (physical address) 
65horusto_be_definedwww.horus.comdmz1-nt-servers
66intdns1200.201.1.81Internal DNS serverlan-csd-sys
67intdns2200.201.1.85Internal DNS server secondarylan-csd-sys
68intranet2200.201.156.61DMZ32: intranet NT serverdmz32-relays
69isis200.201.156.243DMZ1: Sybase server on clusterdmz1-unix-servers
70jade200.201.2.26Workstation Patricelan-csd-sys
71jasmin200.201.156.241DMZ1: www.roger.comdmz1-unix-servers
72logserv192.170.1.19DMZ3: log serverdmz3-admin
73lyrisargonDMZ1: SMTP mailing list on clusterdmz1-unix-servers
74mailhost2200.201.1.207Main mail hostlan-csd-inet
75mailhost3200.201.1.203Backup mail hostlan-csd-inet
76md-host200.201.152.50DMZ22 mddmz-extranet
77mini1200.201.156.19DMZ32: relay NTdmz32-relays
78multicast224.0.0.0/4for RIP rule 
79mvs-adsm0200.201.1.11Site central - MVS (sauvegarde)mvs-hosts
80mvs-dl200.201.1.20Site central - MVSmvs-hosts
81mvs-fi200.201.1.40Site central - MVSmvs-hosts
82mvs-g2200.201.1.10Site central - MVSmvs-hosts
83mvs-mi200.201.1.50Site central - MVSmvs-hosts
84mvs-perf-hostsmvs-g2
mvs-sc
mvs-dl
mvs-fi
mvs-mi
mvs-tp
Machines MVS pouvant recevoir des perfs de mf2/mf3mvs-hosts
85mvs-sc200.201.1.12Site central - MVSmvs-hosts
86mvs-tp200.201.1.60Site central - MVSmvs-hosts
87myprivip#if-target(nickel,
nickel-priv,
chrome-priv)
My own private addresses 
88mypubip#if-target(nickel,
nickel,
chrome)
My public IP address (physical node address) 
89nickel200.201.156.150DMZ1: Sun cluster node 1dmz1-unix-servers
90nickel-priv204.152.65.1
204.152.65.17
204.152.65.33
nickel private network IP addresses 
91ntcom1200.201.156.136
200.201.156.137
www.com1.comdmz1-nt-servers
92ntcom2200.201.156.246
200.201.156.247
www.com2.comdmz1-nt-servers
93packetshaper1200.201.156.4Packet Shaper 1dmz-firewalls
94packetshaper3200.201.156.11Packet Shaper 3dmz-firewalls
95patrol-hostsmailhost3
admhost1
admhost6
Patrol communications (port 1987) 
96proxy1200.201.1.201Proxy 1lan-csd-inet
97proxy2200.201.1.208Proxy 2lan-csd-inet
98realsec1200.201.156.3RealSecure host1dmz-firewalls
99realsec3200.201.156.12RealSecure host2dmz-firewalls
100relay1200.201.156.18DMZ32: Relay 1dmz32-relays
101relay2200.201.156.29DMZ32: Relay 2dmz32-relays
102relay4200.201.152.93DMZ32: Relay 4dmz32-relays
103rout2fed200.201.157.9inner router 2dmz-firewalls
104rout2fedext200.201.152.12extranet router 2dmz-firewalls
105rout2fedext2200.201.152.13extranet routeur 2 bisdmz-firewalls
106rout2internet200.201.156.9internet router 2dmz-firewalls
107rout2rle200.201.157.17extranet router 1dmz-firewalls
108rout3fed200.201.127.66inner router 3dmz-firewalls
109rout3fedext200.201.152.4extranet router 3dmz-firewalls
110rout3fedext2200.201.152.5extranet router 3 bisdmz-firewalls
111rout3internet200.201.156.1internet router 3dmz-firewalls
112rout3rle2200.201.157.5extranet router 2dmz-firewalls
113scylla200.201.156.143DMZ1: AGE www.scylla.comdmz1-unix-servers
114servers-adsmadsm1ADSM backup server 
115servers-dnsfw1e
fw3e
only DNS servers used 
116servers-ntpadmhost1
admhost6
only NTP servers used 
117servers-ripfw1s
fw3s
only RIP servers used 
118servers-smtprelay1
relay2
only SMTP servers used 
119sidhost1200.201.1.215SecurId serverlan-csd-inet
120sidhost2200.201.1.216SecurId backup serverlan-csd-inet
121spoofed-addr10.0.0.0/16
172.16.0.0/12
127.0.0.0/8
  
122ss1192.170.1.21DMZ3: ss1dmz3-admin
123ss2192.170.1.22DMZ3: ss2dmz3-admin
124ss3192.170.1.23DMZ3: ss3dmz3-admin
125ss4192.170.1.24DMZ3: ss4dmz3-admin
126sun002200.201.2.233Sun terminallan-csd-inet
127sunadmin192.170.14.15Test cluster admin stationlan-csd-sys
128tijuana200.201.2.134Workstation Pierrelan-csd-sys
129tisane200.201.156.142DMZ1: www.tisane.comdmz1-unix-servers
130tracks0200.201.152.51DMZ22 tracks0dmz-extranet
131tracks1200.201.152.61DMZ22 tracks1dmz-extranet
132webdi1200.201.156.151www.di1.comdmz1-nt-servers
133webdi2200.201.156.240www.di2.comdmz1-nt-servers
134webresh200.201.156.131DMZ1: web serverdmz1-unix-servers
135xyplex1a21192.170.14.35Xyplex 21lan-csd-inet
136xyplex1a30192.170.14.33Xyplex 30lan-csd-inet
137xyplex2a20192.170.14.34Xyplex 20lan-csd-inet
138xyplex2a21192.170.1.16DMZ3: Xyplex21dmz3-admin
139xyplex2a30192.170.1.18DMZ3: Xyplex30dmz3-admin


Services

  #  NameProtoValueCommentIncluded from
1 udp162  
2X11tcp5999><6010  
3adsmtcp14000ADSM backup port 
4an-applitcp#if-target(nickel,
4000)
  
5clust-rectcp6999><8000ports used by ccdd daemon during a cluster reconfiguration 
6dns-tcptcp53  
7dns-udpudp53  
8ftptcp21  
9ftp-data    
10icmp-othericmp3
11
allowed ICMP-types, with logging 
11icmp-pingicmp0
8
allowed ICMP-types (ping), no logging 
12ntp    
13patroltcp/udp1987port Patrol 
14polluting-portstcp/udp67
137
138
139
140
1804
8500
ports silently blocked to avoid log pollution 
15proto-22   
16proto-tcptcp specifies proto tcp, no port 
17proto-udpudp specifies proto udp, no port 
18route    
19scmgrtcp1097used by java com.sun.scm.admin.server.scmgr.ClusterManager 
20smadudp603Sun cluster communication 
21smtptcp25  
22sshtcp22  
23sunrpctcp/udp111unfortunately used by SunCluster 
24sybasetcp4100Sybase port 
25tcp-high-portstcp>1024Unprivilegied ports 
26wu-pasvtcp18999><20000Passive FTP server: (and configure wu-ftp (passive ports ...)) 
27wwwtcp80  
28www-admintcp82  


Interfaces

  #  NameValueCommentIncluded from
1allifsifpubs
ifprivs
All cluster interfaces 
2ifpriv1qfe1private network, interface 1 
3ifpriv2qfe5private network, interface 2 
4ifprivsifpriv1
ifpriv2
both private interfaces 
5ifpub1qfe0public network, interface 1 
6ifpub2qfe4public network, interface 2 
7ifpubsifpub1
ifpub2
both NAFO0 public interfaces 
8lo0lo0Loopback interface 


Ruleset Properties

Version1.0
Ruleset
targets
  Target hostname
or IP address
SSH user
on target
use
sudo
ipfilter
conf dir.
ipf rules
filename
nat rules
filename
1 nickel isba X /etc/opt/ipf ipf.conf ipnat.conf
2 chrome isba X /etc/opt/ipf ipf.conf ipnat.conf
3            
Setup
infos
-
Ruleset
comments
-
List
of
changes
-
...
This ruleset protects a 2-node Sun Cluster living in a DMZ
from its potentially compromised neighbours.
All networks (public and private) are doubled.
Private networks are used by SunCluster only, for cluster
administration (heartbeats, etc)
Public networks are used for access to hosted servers: WWW, FTP, SMTP, SSH.

Both private interfaces must have the same set of rules,
and both public interfaces must have the same set of rules,
whence the interfaces groups 'ifprivs' and 'ifpubs'.


        ----------------                       ----------------
       |     nickel     |                     |     chrome     |
       |                |                     |                |
       |                |                     |                |
       |           qfe1 |---------------------| qfe1           |
       |                |  Private networks   |                |
       |           qfe5 |---------------------| qfe5           |
       |                |                     |                |
       |   qfe0  qfe4   |                     |   qfe0  qfe4   |
        ----------------                       ----------------
            |     |                                |     |
            |     |                                |     |
     -------+--------------------------------------+--------------    DMZ
                  |         Public networks              |
     -------------+--------------------------------------+--------