sun-cluster.isba |      File: /home/pierre/isba/dev/samples/sun-cluster.isba      Date: Sun Nov 18 07:06:29 MET 2001      User: pierre |
  #   | Action | Opts | Intf | From | To | Service | Misc | Group | Comment |
---|---|---|---|---|---|---|---|---|---|
  | sun-cluster.isba: ruleset for a 2-nodes Sun Cluster: nickel and chrome | ||||||||
  | #include-objects include/all-hosts | ||||||||
  | LOCALHOST TRAFFIC AND GENERAL RULES | ||||||||
1 | pass out | quick | lo0 |   |   |   |   |   | local processes: let all pass |
2 | pass in | quick | lo0 |   |   |   |   |   |   |
3 | block in | log body quick |   |   |   |   | with ipopts |   | block all packets with IP options |
4 | block in | log body quick |   |   |   |   | with short |   | block too shorts packets |
5 | block in | quick |   |   |   | polluting-ports |   |   | to avoid log pollution |
  | PUBLIC INTERFACES: INBOUND TRAFFIC (group 10) | ||||||||
6 | block in | log | ifpubs |   |   |   |   | head 10 | inbound traffic on public interface: default block |
7 | block in | log quick |   | spoofed-addr |   |   |   | group 10 | anti-spoofing |
8 | pass in | log first quick |   |   | all-clust-ip | ssh | flags S keep state keep frags | group 10 | SSH serveur |
9 | pass in | quick |   | allow-ftp-from | all-clust-ip | ftp wu-pasv | flags S keep state keep frags | group 10 | ftp: active FTP server, 1/2 wu-pasv: passive FTP serveur (port data) and configure wu-ftpd |
10 | pass in | quick |   | allow-www-from | all-clust-ip | www | flags S keep state keep frags | group 10 | WWW servers |
11 | pass in | quick |   | allow-www-from | all-clust-ip | www-admin | flags S keep state keep frags | group 10 | Netscape admin server |
12 | pass in | quick |   |   | isis | sybase |   | group 10 | Sybase server |
  |   | ||||||||
13 | pass in | quick |   | servers-rip | multicast | route |   | group 10 | RIP |
14 | pass in | quick |   | hispubip | multicast | icmp-ping |   | group 10 |   |
15 | pass in | log quick |   |   |   | proto-2 |   | group 10 | entree protocole 2 (RIP?) |
16 | pass in | quick |   |   | all-clust-ip | icmp-ping |   | group 10 | ping, ping-reply: allowed (no logging) |
17 | pass in | log quick |   |   | all-clust-ip | icmp-other |   | group 10 | time exceeded, unreachable: allowed (with logging) |
  |   | ||||||||
18 | pass in | log quick |   | hispubip | mypubip | sunrpc | keep state | group 10 | let RPC in from the other node (scconf/logical host declarations) |
19 | pass in | quick |   | hispubip | mypubip | scmgr |   | group 10 | java application: ClusterManager |
20 | pass in | quick |   | hispubip | mypubip |   | srcport scmgr | group 10 | java application: ClusterManager |
21 | pass in | quick |   | hispubip | mypubip | tcp-high-ports |   | group 10 | open TCP high ports in from the other node |
22 | pass in | quick |   | servers-smtp | lyris | smtp | flags S keep state keep frags | group 10 | smtp for Lyris mailing list |
23 | pass in | quick |   | patrol-hosts | all-clust-ip | patrol |   | group 10 | Patrol communications |
  |   | ||||||||
24 | block in | quick |   |   | dmz1-servers | route |   | group 10 | don't return a 'port-unr' packet to a poor guy asking for a route |
25 | block in return-icmp | log quick |   |   |   | proto-udp |   | group 10 | other UDP ports: return a 'port unreachable' packet to avoid a timeout |
26 | block in return-rst | log quick |   |   |   | proto-tcp | flags S | group 10 | other TCP ports: return a Reset packet to avoid a timeout |
  | PUBLIC INTERFACES: OUTBOUND TRAFFIC (group 20) | ||||||||
27 | block out | log | ifpubs |   |   |   |   | head 20 | default block |
28 | pass out | log first quick |   |   |   | ssh | flags S keep state keep frags | group 20 | SSH client |
29 | pass out | quick |   |   | servers-dns | dns-tcp | flags S keep state keep frags | group 20 | DNS/tcp client |
30 | pass out | quick |   |   | servers-dns | dns-udp | keep state | group 20 | DNS/udp client |
31 | pass out | quick |   |   |   | www | flags S keep state keep frags | group 20 | HTTP client |
32 | pass out | log first quick |   |   | servers-smtp | smtp | flags S keep state keep frags | group 20 | sendmail client |
33 | pass out | quick |   |   | servers-ntp | ntp | keep state | group 20 | NTP client |
34 | pass out | log first quick |   |   | servers-adsm | adsm | flags S keep state keep frags | group 20 | ADSM backup client |
35 | pass out | log first quick |   |   | allow-X11-to | X11 | flags S keep state keep frags | group 20 | uncrypted X11 client |
36 | pass out | quick |   |   |   | ftp | flags S keep state keep frags | group 20 | FTP client: passive ftp 1/1, and active ftp 1/2 (see NAT for the 2/2) |
37 | pass out | quick |   |   |   |   | srcport ftp-data flags S keep state keep frags | group 20 | active FTP serveur 2/2: open port 20 outbound |
38 | pass out | quick |   | isis |   |   | srcport sybase | group 20 | Sybase server |
39 | pass out | quick |   |   | patrol-hosts | patrol |   | group 20 | Patrol communications |
40 | pass out | quick |   |   | intdns1 | 162 |   | group 20 |   |
  |   | ||||||||
41 | pass out | quick |   |   |   |   | srcport route | group 20 | RIP |
42 | pass out | log quick |   |   |   | proto-2 |   | group 20 | let protocol 2 out (gated) |
43 | pass out | quick |   |   |   | icmp-ping |   | group 20 | ping, ping-reply: ok (no logging) |
44 | pass out | log quick |   |   |   | icmp-other |   | group 20 | time exceeded, unreachable: ok (with logging) |
45 | pass out | quick |   | mypubip | hispubip | sunrpc | keep state | group 20 | let RPC out to other node (scconf/logical host declarations) |
46 | pass out | quick |   | mypubip | hispubip | scmgr |   | group 20 | java application: ClusterManager |
47 | pass out | quick |   | mypubip | hispubip |   | srcport scmgr | group 20 | java application: ClusterManager |
48 | pass out | quick |   | mypubip | hispubip | tcp-high-ports |   | group 20 | open high ports out to other node |
49 | pass out | log quick |   |   |   |   | flags R/R | group 20 | let Reset packets out (for denied TCP connections) |
  | PRIVATE INTERFACES: INBOUND TRAFFIC (group 30) | ||||||||
50 | block in | log | ifprivs |   |   |   |   | head 30 | default block |
51 | pass in | quick |   | hisprivip | myprivip | sunrpc | keep state | group 30 | let RPC in |
52 | pass in | quick |   | hisprivip | myprivip | smad |   | group 30 | let UDP/603 in (smad) |
53 | pass in | log first quick |   | hisprivip | myprivip | clust-rec |   | group 30 | these ports are used during a cluster reconfiguration |
54 | pass in | log first quick |   | hisprivip | myprivip |   | srcport clust-rec | group 30 | these ports are used during a cluster reconfiguration |
55 | pass in | quick |   | hisprivip | myprivip | scmgr |   | group 30 | java application: ClusterManager |
56 | pass in | quick |   | hisprivip | myprivip |   | srcport scmgr | group 30 | java application: ClusterManager |
57 | pass in | quick |   | hisprivip | myprivip | tcp-high-ports |   | group 30 | open high ports out to other node |
  | in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running | ||||||||
58 | pass in | quick |   | hisprivip | myprivip | icmp-ping |   | group 30 | ping, ping-reply: autorises |
  | PRIVATE INTERFACES: OUTBOUND TRAFFIC (group 40) | ||||||||
59 | block out | log | ifprivs |   |   |   |   | head 40 | default block |
60 | pass out | quick |   | myprivip | hisprivip | sunrpc | keep state | group 40 | let RPC out |
61 | pass out | quick |   | myprivip | hisprivip | smad |   | group 40 | let UDP/603 out (smad) |
62 | pass out | log first quick |   | myprivip | hisprivip | clust-rec |   | group 40 | these ports are used during a cluster reconfiguration |
63 | pass out | log first quick |   | myprivip | hisprivip |   | srcport clust-rec | group 40 | these ports are used during a cluster reconfiguration |
64 | pass out | quick |   | myprivip | hisprivip | scmgr |   | group 40 | java application: ClusterManager |
65 | pass out | quick |   | myprivip | hisprivip |   | srcport scmgr | group 40 | java application: ClusterManager |
66 | pass out | quick |   | myprivip | hisprivip | tcp-high-ports |   | group 40 | open high ports out to other node |
  | in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running | ||||||||
67 | pass out | quick |   | myprivip | hisprivip | icmp-ping |   | group 40 | ping and reply allowed |
  | Warning: this ruleset is only a sample ... don't use it! |
  #   | Action | Intf | Original From |
Original To |
Original Service |
 ->  | Translated Address |
Translated Service |
Range | Comment |
---|---|---|---|---|---|---|---|---|---|---|
  | sun-cluster.isba: NAT rules | |||||||||
1 | map | ifpub1 | 0/0 |   |   | -> | 0/32 | proxy port ftp ftp/tcp |   | FTP client: active ftp 2/2 (accept port 20 inbound connection) on main interface |
2 | map | ifpub2 | 0/0 |   |   | -> | 0/32 | proxy port ftp ftp/tcp |   | FTP client: active ftp 2/2 (accept port 20 inbound connection) on backup interface |
  #   | Name | Value | Comment | Included from |
---|---|---|---|---|
1 |   | 0/0 | for Nat: specifies any original address |   |
2 |   | 0/32 | for Nat: specifies current IP address |   |
3 | admhost1 | 192.170.1.2 | DMZ3: admin host1 | dmz3-admin |
4 | admhost2 | 192.170.1.8 | DMZ3: PC Jean | dmz3-admin |
5 | admhost3 | 192.170.1.9 | DMZ3: PC Frederic | dmz3-admin |
6 | admhost4 | 192.170.1.7 | DMZ3: PC Denis | dmz3-admin |
7 | admhost5 | 192.170.1.4 | DMZ3: PC Pierre | dmz3-admin |
8 | admhost6 | 192.170.1.1 | DMZ3: admin host2 | dmz3-admin |
9 | admhost7 | 192.170.1.10 | DMZ3: PC Christophe | dmz3-admin |
10 | admhost8 | 192.170.1.6 | DMZ3: PC Stephane | dmz3-admin |
11 | admhost9 | 192.170.1.5 | DMZ3: Sun Cluster admin host | dmz3-admin |
12 | admhostss1 | 192.170.1.25 | DMZ3: ssadmin host1 | dmz3-admin |
13 | admhostss2 | 192.170.1.26 | DMZ3: ssadmin host2 | dmz3-admin |
14 | adsm1 | 192.170.1.3 | DMZ3: ADSM backup server | dmz3-admin |
15 | akhenaton | 200.201.156.239 | www.akhenaton.com | dmz1-nt-servers |
16 | all-clust-ip | nickel chrome argon-lhost helium-lhost | all cluster IP addresses |   |
17 | allow-X11-to | dmz3-admin | let X11 out to these machines only |   |
18 | allow-ftp-from | dmz3-admin hispubip fw1s fw3s | accept inbound FTP from these machines only |   |
19 | allow-www-from | any | accept inbound HTTP from these machines only |   |
20 | amazone | 200.201.156.141 | DMZ1: www.nestor.com | dmz1-unix-servers |
21 | antares | 200.201.2.245 | Workstation Manu | lan-csd-sys |
22 | anubis | 200.201.156.245 | www.anubis.com | dmz1-nt-servers |
23 | argon | 200.201.156.132 | DMZ1: web server on cluster | dmz1-unix-servers |
24 | argon-lhost | argon dfe argon-trav europe-trav europe | DMZ1: argon logical host IP addresses | dmz1-unix-servers |
25 | argon-trav | 200.201.156.144 | DMZ1: web server on cluster | dmz1-unix-servers |
26 | becerede1 | 200.201.156.135 200.201.156.138 200.201.156.139 159.156.156.140 | Many web servers | dmz1-nt-servers |
27 | broadcast-24 | 255.255.255.0 |   | all-hosts |
28 | broadcast-32 | 255.255.255.255 |   | all-hosts |
29 | charybde | 200.201.156.252 | DMZ1: AGE www.charybde.com | dmz1-unix-servers |
30 | chrome | 200.201.156.250 | DMZ1: Sun cluster node 2 | dmz1-unix-servers |
31 | chrome-priv | 204.152.65.2 204.152.65.18 204.152.65.34 | chrome private network IP addresses |   |
32 | cluster1 | 192.170.14.11 | Test Sun cluster | lan-csd-sys |
33 | cluster2 | 192.170.14.12 | Test sun cluster | lan-csd-sys |
34 | dfe | 200.201.156.133 | DMZ1: web server on cluster | dmz1-unix-servers |
35 | dmz1-servers | 200.201.156.128/25 | Servers DMZ | dmz1-unix-servers |
36 | dmz3-admin | 192.170.1.0/27 | DMZ3: admin hosts | dmz3-admin |
37 | dmz32-relays | 200.201.156.16/28 | Relays DMZ | dmz32-relays |
38 | esnts1 | 192.170.14.13 | Network Terminal Server 1 - test cluster | lan-csd-sys |
39 | esnts2 | 192.170.14.14 | Network Terminal Server 2 - test cluster | lan-csd-sys |
40 | europe | 200.201.156.147 | DMZ1: europe web server on cluster | dmz1-unix-servers |
41 | europe-trav | 200.201.156.145 | DMZ1: europe-trav web server on cluster | dmz1-unix-servers |
42 | extradf | 200.201.156.251 | www.extradf.com | dmz1-nt-servers |
43 | fw-internet-s | fw1s fw3s | Internet firewalls - servers DMZ | dmz-firewalls |
44 | fw1a | 192.170.1.11 | firewall1, admin DMZ | dmz-firewalls |
45 | fw1e | 200.201.156.2 | firewall1, internet side | dmz-firewalls |
46 | fw1i | 200.201.127.65 | firewall1, internal side | dmz-firewalls |
47 | fw1r | 200.201.156.17 | firewall1, relays DMZ side | dmz-firewalls |
48 | fw1s | 200.201.156.129 | firewall1, servers DMZ side | dmz-firewalls |
49 | fw2a | 192.170.1.12 | firewall2, admin DMZ | dmz-firewalls |
50 | fw2e | 200.201.152.2 | firewall2, out side | dmz-firewalls |
51 | fw2i | 200.201.157.6 | firewall2, internal side | dmz-firewalls |
52 | fw2r | 200.201.152.81 | firewall2, relays DMZ side | dmz-firewalls |
53 | fw3a | 192.170.1.13 | firewall3, admin DMZ | dmz-firewalls |
54 | fw3e | 200.201.156.10 | firewall3, internet side | dmz-firewalls |
55 | fw3i | 200.201.157.10 | firewall3, internal side | dmz-firewalls |
56 | fw3r | 200.201.156.30 | firewall3, relays DMZ side | dmz-firewalls |
57 | fw3s | 200.201.156.254 | firewall3, servers DMZ side | dmz-firewalls |
58 | fw4a | 192.170.1.14 | firewall4, admin DMZ | dmz-firewalls |
59 | fw4e | 200.201.152.14 | firewall4, out side | dmz-firewalls |
60 | fw4i | 200.201.157.18 | firewall4, internal side | dmz-firewalls |
61 | fw4r | 200.201.152.94 | firewall4, relays DMZ side | dmz-firewalls |
62 | helium-lhost | isis | DMZ1: logical host helium on cluster | dmz1-unix-servers |
63 | hisprivip | #if-target(nickel, chrome-priv, nickel-priv) | Other cluster node private addresses |   |
64 | hispubip | #if-target(nickel, chrome, nickel) | Public IP address of the other node (physical address) |   |
65 | horus | to_be_defined | www.horus.com | dmz1-nt-servers |
66 | intdns1 | 200.201.1.81 | Internal DNS server | lan-csd-sys |
67 | intdns2 | 200.201.1.85 | Internal DNS server secondary | lan-csd-sys |
68 | intranet2 | 200.201.156.61 | DMZ32: intranet NT server | dmz32-relays |
69 | isis | 200.201.156.243 | DMZ1: Sybase server on cluster | dmz1-unix-servers |
70 | jade | 200.201.2.26 | Workstation Patrice | lan-csd-sys |
71 | jasmin | 200.201.156.241 | DMZ1: www.roger.com | dmz1-unix-servers |
72 | logserv | 192.170.1.19 | DMZ3: log server | dmz3-admin |
73 | lyris | argon | DMZ1: SMTP mailing list on cluster | dmz1-unix-servers |
74 | mailhost2 | 200.201.1.207 | Main mail host | lan-csd-inet |
75 | mailhost3 | 200.201.1.203 | Backup mail host | lan-csd-inet |
76 | md-host | 200.201.152.50 | DMZ22 md | dmz-extranet |
77 | mini1 | 200.201.156.19 | DMZ32: relay NT | dmz32-relays |
78 | multicast | 224.0.0.0/4 | for RIP rule |   |
79 | mvs-adsm0 | 200.201.1.11 | Site central - MVS (sauvegarde) | mvs-hosts |
80 | mvs-dl | 200.201.1.20 | Site central - MVS | mvs-hosts |
81 | mvs-fi | 200.201.1.40 | Site central - MVS | mvs-hosts |
82 | mvs-g2 | 200.201.1.10 | Site central - MVS | mvs-hosts |
83 | mvs-mi | 200.201.1.50 | Site central - MVS | mvs-hosts |
84 | mvs-perf-hosts | mvs-g2 mvs-sc mvs-dl mvs-fi mvs-mi mvs-tp | Machines MVS pouvant recevoir des perfs de mf2/mf3 | mvs-hosts |
85 | mvs-sc | 200.201.1.12 | Site central - MVS | mvs-hosts |
86 | mvs-tp | 200.201.1.60 | Site central - MVS | mvs-hosts |
87 | myprivip | #if-target(nickel, nickel-priv, chrome-priv) | My own private addresses |   |
88 | mypubip | #if-target(nickel, nickel, chrome) | My public IP address (physical node address) |   |
89 | nickel | 200.201.156.150 | DMZ1: Sun cluster node 1 | dmz1-unix-servers |
90 | nickel-priv | 204.152.65.1 204.152.65.17 204.152.65.33 | nickel private network IP addresses |   |
91 | ntcom1 | 200.201.156.136 200.201.156.137 | www.com1.com | dmz1-nt-servers |
92 | ntcom2 | 200.201.156.246 200.201.156.247 | www.com2.com | dmz1-nt-servers |
93 | packetshaper1 | 200.201.156.4 | Packet Shaper 1 | dmz-firewalls |
94 | packetshaper3 | 200.201.156.11 | Packet Shaper 3 | dmz-firewalls |
95 | patrol-hosts | mailhost3 admhost1 admhost6 | Patrol communications (port 1987) |   |
96 | proxy1 | 200.201.1.201 | Proxy 1 | lan-csd-inet |
97 | proxy2 | 200.201.1.208 | Proxy 2 | lan-csd-inet |
98 | realsec1 | 200.201.156.3 | RealSecure host1 | dmz-firewalls |
99 | realsec3 | 200.201.156.12 | RealSecure host2 | dmz-firewalls |
100 | relay1 | 200.201.156.18 | DMZ32: Relay 1 | dmz32-relays |
101 | relay2 | 200.201.156.29 | DMZ32: Relay 2 | dmz32-relays |
102 | relay4 | 200.201.152.93 | DMZ32: Relay 4 | dmz32-relays |
103 | rout2fed | 200.201.157.9 | inner router 2 | dmz-firewalls |
104 | rout2fedext | 200.201.152.12 | extranet router 2 | dmz-firewalls |
105 | rout2fedext2 | 200.201.152.13 | extranet routeur 2 bis | dmz-firewalls |
106 | rout2internet | 200.201.156.9 | internet router 2 | dmz-firewalls |
107 | rout2rle | 200.201.157.17 | extranet router 1 | dmz-firewalls |
108 | rout3fed | 200.201.127.66 | inner router 3 | dmz-firewalls |
109 | rout3fedext | 200.201.152.4 | extranet router 3 | dmz-firewalls |
110 | rout3fedext2 | 200.201.152.5 | extranet router 3 bis | dmz-firewalls |
111 | rout3internet | 200.201.156.1 | internet router 3 | dmz-firewalls |
112 | rout3rle2 | 200.201.157.5 | extranet router 2 | dmz-firewalls |
113 | scylla | 200.201.156.143 | DMZ1: AGE www.scylla.com | dmz1-unix-servers |
114 | servers-adsm | adsm1 | ADSM backup server |   |
115 | servers-dns | fw1e fw3e | only DNS servers used |   |
116 | servers-ntp | admhost1 admhost6 | only NTP servers used |   |
117 | servers-rip | fw1s fw3s | only RIP servers used |   |
118 | servers-smtp | relay1 relay2 | only SMTP servers used |   |
119 | sidhost1 | 200.201.1.215 | SecurId server | lan-csd-inet |
120 | sidhost2 | 200.201.1.216 | SecurId backup server | lan-csd-inet |
121 | spoofed-addr | 10.0.0.0/16 172.16.0.0/12 127.0.0.0/8 |   |   |
122 | ss1 | 192.170.1.21 | DMZ3: ss1 | dmz3-admin |
123 | ss2 | 192.170.1.22 | DMZ3: ss2 | dmz3-admin |
124 | ss3 | 192.170.1.23 | DMZ3: ss3 | dmz3-admin |
125 | ss4 | 192.170.1.24 | DMZ3: ss4 | dmz3-admin |
126 | sun002 | 200.201.2.233 | Sun terminal | lan-csd-inet |
127 | sunadmin | 192.170.14.15 | Test cluster admin station | lan-csd-sys |
128 | tijuana | 200.201.2.134 | Workstation Pierre | lan-csd-sys |
129 | tisane | 200.201.156.142 | DMZ1: www.tisane.com | dmz1-unix-servers |
130 | tracks0 | 200.201.152.51 | DMZ22 tracks0 | dmz-extranet |
131 | tracks1 | 200.201.152.61 | DMZ22 tracks1 | dmz-extranet |
132 | webdi1 | 200.201.156.151 | www.di1.com | dmz1-nt-servers |
133 | webdi2 | 200.201.156.240 | www.di2.com | dmz1-nt-servers |
134 | webresh | 200.201.156.131 | DMZ1: web server | dmz1-unix-servers |
135 | xyplex1a21 | 192.170.14.35 | Xyplex 21 | lan-csd-inet |
136 | xyplex1a30 | 192.170.14.33 | Xyplex 30 | lan-csd-inet |
137 | xyplex2a20 | 192.170.14.34 | Xyplex 20 | lan-csd-inet |
138 | xyplex2a21 | 192.170.1.16 | DMZ3: Xyplex21 | dmz3-admin |
139 | xyplex2a30 | 192.170.1.18 | DMZ3: Xyplex30 | dmz3-admin |
  #   | Name | Proto | Value | Comment | Included from |
---|---|---|---|---|---|
1 |   | udp | 162 |   |   |
2 | X11 | tcp | 5999><6010 |   |   |
3 | adsm | tcp | 14000 | ADSM backup port |   |
4 | an-appli | tcp | #if-target(nickel, 4000) |   |   |
5 | clust-rec | tcp | 6999><8000 | ports used by ccdd daemon during a cluster reconfiguration |   |
6 | dns-tcp | tcp | 53 |   |   |
7 | dns-udp | udp | 53 |   |   |
8 | ftp | tcp | 21 |   |   |
9 | ftp-data |   |   |   |   |
10 | icmp-other | icmp | 3 11 | allowed ICMP-types, with logging |   |
11 | icmp-ping | icmp | 0 8 | allowed ICMP-types (ping), no logging |   |
12 | ntp |   |   |   |   |
13 | patrol | tcp/udp | 1987 | port Patrol |   |
14 | polluting-ports | tcp/udp | 67 137 138 139 140 1804 8500 | ports silently blocked to avoid log pollution |   |
15 | proto-2 | 2 |   |   |   |
16 | proto-tcp | tcp |   | specifies proto tcp, no port |   |
17 | proto-udp | udp |   | specifies proto udp, no port |   |
18 | route |   |   |   |   |
19 | scmgr | tcp | 1097 | used by java com.sun.scm.admin.server.scmgr.ClusterManager |   |
20 | smad | udp | 603 | Sun cluster communication |   |
21 | smtp | tcp | 25 |   |   |
22 | ssh | tcp | 22 |   |   |
23 | sunrpc | tcp/udp | 111 | unfortunately used by SunCluster |   |
24 | sybase | tcp | 4100 | Sybase port |   |
25 | tcp-high-ports | tcp | >1024 | Unprivilegied ports |   |
26 | wu-pasv | tcp | 18999><20000 | Passive FTP server: (and configure wu-ftp (passive ports ...)) |   |
27 | www | tcp | 80 |   |   |
28 | www-admin | tcp | 82 |   |   |
  #   | Name | Value | Comment | Included from |
---|---|---|---|---|
1 | allifs | ifpubs ifprivs | All cluster interfaces |   |
2 | ifpriv1 | qfe1 | private network, interface 1 |   |
3 | ifpriv2 | qfe5 | private network, interface 2 |   |
4 | ifprivs | ifpriv1 ifpriv2 | both private interfaces |   |
5 | ifpub1 | qfe0 | public network, interface 1 |   |
6 | ifpub2 | qfe4 | public network, interface 2 |   |
7 | ifpubs | ifpub1 ifpub2 | both NAFO0 public interfaces |   |
8 | lo0 | lo0 | Loopback interface |   |
Version | 1.0 | ||||||||||||||||||||||||||||
Ruleset targets |
| ||||||||||||||||||||||||||||
Setup infos - Ruleset comments - List of changes - ... |
This ruleset protects a 2-node Sun Cluster living in a DMZ from its potentially compromised neighbours. All networks (public and private) are doubled. Private networks are used by SunCluster only, for cluster administration (heartbeats, etc) Public networks are used for access to hosted servers: WWW, FTP, SMTP, SSH. Both private interfaces must have the same set of rules, and both public interfaces must have the same set of rules, whence the interfaces groups 'ifprivs' and 'ifpubs'. ---------------- ---------------- | nickel | | chrome | | | | | | | | | | qfe1 |---------------------| qfe1 | | | Private networks | | | qfe5 |---------------------| qfe5 | | | | | | qfe0 qfe4 | | qfe0 qfe4 | ---------------- ---------------- | | | | | | | | -------+--------------------------------------+-------------- DMZ | Public networks | -------------+--------------------------------------+-------- |