# # Isba source file text export - Sun Nov 18 07:15:09 MET 2001 # from: /home/pierre/isba/dev/samples/sun-cluster.isba # # IPF RULES # # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- # Action Opts Intf From To Service Misc Group Comment # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- # # sun-cluster.isba: ruleset for a 2-nodes Sun Cluster: nickel and chrome # # #include-objects include/all-hosts # # LOCALHOST TRAFFIC AND GENERAL RULES # 1 pass out quick lo0 # local processes: let all pass 2 pass in quick lo0 3 block in log body with ipopts # block all packets with IP options quick 4 block in log body with short # block too shorts packets quick 5 block in quick polluting-ports # to avoid log pollution # # PUBLIC INTERFACES: INBOUND TRAFFIC (group 10) # 6 block in log ifpubs head 10 # inbound traffic on public interface: # default block 7 block in log spoofed-addr group 10 # anti-spoofing quick 8 pass in log first all-clust-ip ssh flags S group 10 # SSH serveur quick keep state keep frags 9 pass in quick allow-ftp-from all-clust-ip ftp flags S group 10 # ftp: active FTP server, 1/2 wu-pasv keep state # wu-pasv: passive FTP serveur (port data) keep frags # and configure wu-ftpd 10 pass in quick allow-www-from all-clust-ip www flags S group 10 # WWW servers keep state keep frags 11 pass in quick allow-www-from all-clust-ip www-admin flags S group 10 # Netscape admin server keep state keep frags 12 pass in quick isis sybase group 10 # Sybase server # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- 13 pass in quick servers-rip multicast route group 10 # RIP 14 pass in quick hispubip multicast icmp-ping group 10 15 pass in log proto-2 group 10 # entree protocole 2 (RIP?) quick 16 pass in quick all-clust-ip icmp-ping group 10 # ping, ping-reply: allowed # (no logging) 17 pass in log all-clust-ip icmp-other group 10 # time exceeded, unreachable: quick # allowed (with logging) # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- 18 pass in log hispubip mypubip sunrpc keep state group 10 # let RPC in from the other node quick # (scconf/logical host declarations) 19 pass in quick hispubip mypubip scmgr group 10 # java application: ClusterManager 20 pass in quick hispubip mypubip srcport scmgr group 10 # java application: ClusterManager 21 pass in quick hispubip mypubip tcp-high-ports group 10 # open TCP high ports in # from the other node 22 pass in quick servers-smtp lyris smtp flags S group 10 # smtp for Lyris keep state # mailing list keep frags 23 pass in quick patrol-hosts all-clust-ip patrol group 10 # Patrol communications # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- 24 block in quick dmz1-servers route group 10 # don't return a 'port-unr' packet # to a poor guy asking for a route 25 block in log proto-udp group 10 # other UDP ports: return a 'port unreachable' return-icmp quick # packet to avoid a timeout 26 block in log proto-tcp flags S group 10 # other TCP ports: return a Reset packet return-rst quick # to avoid a timeout # # PUBLIC INTERFACES: OUTBOUND TRAFFIC (group 20) # 27 block out log ifpubs head 20 # default block 28 pass out log first ssh flags S group 20 # SSH client quick keep state keep frags 29 pass out quick servers-dns dns-tcp flags S group 20 # DNS/tcp client keep state keep frags 30 pass out quick servers-dns dns-udp keep state group 20 # DNS/udp client 31 pass out quick www flags S group 20 # HTTP client keep state keep frags 32 pass out log first servers-smtp smtp flags S group 20 # sendmail client quick keep state keep frags 33 pass out quick servers-ntp ntp keep state group 20 # NTP client 34 pass out log first servers-adsm adsm flags S group 20 # ADSM backup client quick keep state keep frags 35 pass out log first allow-X11-to X11 flags S group 20 # uncrypted X11 client quick keep state keep frags 36 pass out quick ftp flags S group 20 # FTP client: passive ftp 1/1, keep state # and active ftp 1/2 keep frags # (see NAT for the 2/2) 37 pass out quick srcport ftp-data group 20 # active FTP serveur 2/2: flags S # open port 20 outbound keep state keep frags 38 pass out quick isis srcport sybase group 20 # Sybase server 39 pass out quick patrol-hosts patrol group 20 # Patrol communications 40 pass out quick intdns1 162 group 20 # ----------- --------- ------- -------------- ------------ --------------- ----------------- ---------- -------------------------------------------- 41 pass out quick srcport route group 20 # RIP 42 pass out log proto-2 group 20 # let protocol 2 out (gated) quick 43 pass out quick icmp-ping group 20 # ping, ping-reply: ok (no logging) 44 pass out log icmp-other group 20 # time exceeded, unreachable: ok quick # (with logging) 45 pass out quick mypubip hispubip sunrpc keep state group 20 # let RPC out to other node # (scconf/logical host declarations) 46 pass out quick mypubip hispubip scmgr group 20 # java application: ClusterManager 47 pass out quick mypubip hispubip srcport scmgr group 20 # java application: ClusterManager 48 pass out quick mypubip hispubip tcp-high-ports group 20 # open high ports out to other node 49 pass out log flags R/R group 20 # let Reset packets out quick # (for denied TCP connections) # # PRIVATE INTERFACES: INBOUND TRAFFIC (group 30) # 50 block in log ifprivs head 30 # default block 51 pass in quick hisprivip myprivip sunrpc keep state group 30 # let RPC in 52 pass in quick hisprivip myprivip smad group 30 # let UDP/603 in (smad) 53 pass in log first hisprivip myprivip clust-rec group 30 # these ports are used during quick # a cluster reconfiguration 54 pass in log first hisprivip myprivip srcport clust-rec group 30 # these ports are used during quick # a cluster reconfiguration 55 pass in quick hisprivip myprivip scmgr group 30 # java application: ClusterManager 56 pass in quick hisprivip myprivip srcport scmgr group 30 # java application: ClusterManager 57 pass in quick hisprivip myprivip tcp-high-ports group 30 # open high ports out to other node # in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running 58 pass in quick hisprivip myprivip icmp-ping group 30 # ping, ping-reply: autorises # # PRIVATE INTERFACES: OUTBOUND TRAFFIC (group 40) # 59 block out log ifprivs head 40 # default block 60 pass out quick myprivip hisprivip sunrpc keep state group 40 # let RPC out 61 pass out quick myprivip hisprivip smad group 40 # let UDP/603 out (smad) 62 pass out log first myprivip hisprivip clust-rec group 40 # these ports are used during quick # a cluster reconfiguration 63 pass out log first myprivip hisprivip srcport clust-rec group 40 # these ports are used during quick # a cluster reconfiguration 64 pass out quick myprivip hisprivip scmgr group 40 # java application: ClusterManager 65 pass out quick myprivip hisprivip srcport scmgr group 40 # java application: ClusterManager 66 pass out quick myprivip hisprivip tcp-high-ports group 40 # open high ports out to other node # in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running 67 pass out quick myprivip hisprivip icmp-ping group 40 # ping and reply allowed # # Warning: this ruleset is only a sample ... don't use it! # # NAT RULES # # -------- ------ ---------- ---------- ---------- -- ------------ -------------- -------- ----------------------------------- # Action Intf Original Original Original Translated Translated Range Comment # -> -> From To Service -> Address Service -> -> # -------- ------ ---------- ---------- ---------- -- ------------ -------------- -------- ----------------------------------- # # sun-cluster.isba: NAT rules # 1 map ifpub1 0/0 -> 0/32 proxy port ftp # FTP client: active ftp 2/2 ftp/tcp # (accept port 20 inbound connection) # on main interface 2 map ifpub2 0/0 -> 0/32 proxy port ftp # FTP client: active ftp 2/2 ftp/tcp # (accept port 20 inbound connection) # on backup interface # ------------ ------------------ ------------------------------------------------------ ----------------- # HOST/NET VALUE COMMENT INCLUDED FROM # ------------ ------------------ ------------------------------------------------------ ----------------- - 0/0 for Nat: specifies any original address - 0/32 for Nat: specifies current IP address admhost1 192.170.1.2 DMZ3: admin host1 dmz3-admin admhost2 192.170.1.8 DMZ3: PC Jean dmz3-admin admhost3 192.170.1.9 DMZ3: PC Frederic dmz3-admin admhost4 192.170.1.7 DMZ3: PC Denis dmz3-admin admhost5 192.170.1.4 DMZ3: PC Pierre dmz3-admin admhost6 192.170.1.1 DMZ3: admin host2 dmz3-admin admhost7 192.170.1.10 DMZ3: PC Christophe dmz3-admin admhost8 192.170.1.6 DMZ3: PC Stephane dmz3-admin admhost9 192.170.1.5 DMZ3: Sun Cluster admin host dmz3-admin admhostss1 192.170.1.25 DMZ3: ssadmin host1 dmz3-admin admhostss2 192.170.1.26 DMZ3: ssadmin host2 dmz3-admin adsm1 192.170.1.3 DMZ3: ADSM backup server dmz3-admin akhenaton 200.201.156.239 www.akhenaton.com dmz1-nt-servers all-clust-ip nickel all cluster IP addresses chrome argon-lhost helium-lhost allow-X11-to dmz3-admin let X11 out to these machines only allow-ftp-from dmz3-admin accept inbound FTP from these machines only hispubip fw1s fw3s allow-www-from any accept inbound HTTP from these machines only amazone 200.201.156.141 DMZ1: www.nestor.com dmz1-unix-servers antares 200.201.2.245 Workstation Manu lan-csd-sys anubis 200.201.156.245 www.anubis.com dmz1-nt-servers argon 200.201.156.132 DMZ1: web server on cluster dmz1-unix-servers argon-lhost argon DMZ1: argon logical host IP addresses dmz1-unix-servers dfe argon-trav europe-trav europe argon-trav 200.201.156.144 DMZ1: web server on cluster dmz1-unix-servers becerede1 200.201.156.135 Many web servers dmz1-nt-servers 200.201.156.138 200.201.156.139 159.156.156.140 broadcast-24 255.255.255.0 all-hosts broadcast-32 255.255.255.255 all-hosts charybde 200.201.156.252 DMZ1: AGE www.charybde.com dmz1-unix-servers chrome 200.201.156.250 DMZ1: Sun cluster node 2 dmz1-unix-servers chrome-priv 204.152.65.2 chrome private network IP addresses 204.152.65.18 204.152.65.34 cluster1 192.170.14.11 Test Sun cluster lan-csd-sys cluster2 192.170.14.12 Test sun cluster lan-csd-sys dfe 200.201.156.133 DMZ1: web server on cluster dmz1-unix-servers dmz1-servers 200.201.156.128/25 Servers DMZ dmz1-unix-servers dmz3-admin 192.170.1.0/27 DMZ3: admin hosts dmz3-admin dmz32-relays 200.201.156.16/28 Relays DMZ dmz32-relays esnts1 192.170.14.13 Network Terminal Server 1 - test cluster lan-csd-sys esnts2 192.170.14.14 Network Terminal Server 2 - test cluster lan-csd-sys europe 200.201.156.147 DMZ1: europe web server on cluster dmz1-unix-servers europe-trav 200.201.156.145 DMZ1: europe-trav web server on cluster dmz1-unix-servers extradf 200.201.156.251 www.extradf.com dmz1-nt-servers fw-internet-s fw1s Internet firewalls - servers DMZ dmz-firewalls fw3s fw1a 192.170.1.11 firewall1, admin DMZ dmz-firewalls fw1e 200.201.156.2 firewall1, internet side dmz-firewalls fw1i 200.201.127.65 firewall1, internal side dmz-firewalls fw1r 200.201.156.17 firewall1, relays DMZ side dmz-firewalls fw1s 200.201.156.129 firewall1, servers DMZ side dmz-firewalls fw2a 192.170.1.12 firewall2, admin DMZ dmz-firewalls fw2e 200.201.152.2 firewall2, out side dmz-firewalls fw2i 200.201.157.6 firewall2, internal side dmz-firewalls fw2r 200.201.152.81 firewall2, relays DMZ side dmz-firewalls fw3a 192.170.1.13 firewall3, admin DMZ dmz-firewalls fw3e 200.201.156.10 firewall3, internet side dmz-firewalls fw3i 200.201.157.10 firewall3, internal side dmz-firewalls fw3r 200.201.156.30 firewall3, relays DMZ side dmz-firewalls fw3s 200.201.156.254 firewall3, servers DMZ side dmz-firewalls fw4a 192.170.1.14 firewall4, admin DMZ dmz-firewalls fw4e 200.201.152.14 firewall4, out side dmz-firewalls fw4i 200.201.157.18 firewall4, internal side dmz-firewalls fw4r 200.201.152.94 firewall4, relays DMZ side dmz-firewalls helium-lhost isis DMZ1: logical host helium on cluster dmz1-unix-servers hisprivip #if-target(nickel, Other cluster node private addresses chrome-priv, nickel-priv) hispubip #if-target(nickel, Public IP address of the other node (physical address) chrome, nickel) horus to_be_defined www.horus.com dmz1-nt-servers intdns1 200.201.1.81 Internal DNS server lan-csd-sys intdns2 200.201.1.85 Internal DNS server secondary lan-csd-sys intranet2 200.201.156.61 DMZ32: intranet NT server dmz32-relays isis 200.201.156.243 DMZ1: Sybase server on cluster dmz1-unix-servers jade 200.201.2.26 Workstation Patrice lan-csd-sys jasmin 200.201.156.241 DMZ1: www.roger.com dmz1-unix-servers logserv 192.170.1.19 DMZ3: log server dmz3-admin lyris argon DMZ1: SMTP mailing list on cluster dmz1-unix-servers mailhost2 200.201.1.207 Main mail host lan-csd-inet mailhost3 200.201.1.203 Backup mail host lan-csd-inet md-host 200.201.152.50 DMZ22 md dmz-extranet mini1 200.201.156.19 DMZ32: relay NT dmz32-relays multicast 224.0.0.0/4 for RIP rule mvs-adsm0 200.201.1.11 Site central - MVS (sauvegarde) mvs-hosts mvs-dl 200.201.1.20 Site central - MVS mvs-hosts mvs-fi 200.201.1.40 Site central - MVS mvs-hosts mvs-g2 200.201.1.10 Site central - MVS mvs-hosts mvs-mi 200.201.1.50 Site central - MVS mvs-hosts mvs-perf-hosts mvs-g2 Machines MVS pouvant recevoir des perfs de mf2/mf3 mvs-hosts mvs-sc mvs-dl mvs-fi mvs-mi mvs-tp mvs-sc 200.201.1.12 Site central - MVS mvs-hosts mvs-tp 200.201.1.60 Site central - MVS mvs-hosts myprivip #if-target(nickel, My own private addresses nickel-priv, chrome-priv) mypubip #if-target(nickel, My public IP address (physical node address) nickel, chrome) nickel 200.201.156.150 DMZ1: Sun cluster node 1 dmz1-unix-servers nickel-priv 204.152.65.1 nickel private network IP addresses 204.152.65.17 204.152.65.33 ntcom1 200.201.156.136 www.com1.com dmz1-nt-servers 200.201.156.137 ntcom2 200.201.156.246 www.com2.com dmz1-nt-servers 200.201.156.247 packetshaper1 200.201.156.4 Packet Shaper 1 dmz-firewalls packetshaper3 200.201.156.11 Packet Shaper 3 dmz-firewalls patrol-hosts mailhost3 Patrol communications (port 1987) admhost1 admhost6 proxy1 200.201.1.201 Proxy 1 lan-csd-inet proxy2 200.201.1.208 Proxy 2 lan-csd-inet realsec1 200.201.156.3 RealSecure host1 dmz-firewalls realsec3 200.201.156.12 RealSecure host2 dmz-firewalls relay1 200.201.156.18 DMZ32: Relay 1 dmz32-relays relay2 200.201.156.29 DMZ32: Relay 2 dmz32-relays relay4 200.201.152.93 DMZ32: Relay 4 dmz32-relays rout2fed 200.201.157.9 inner router 2 dmz-firewalls rout2fedext 200.201.152.12 extranet router 2 dmz-firewalls rout2fedext2 200.201.152.13 extranet routeur 2 bis dmz-firewalls rout2internet 200.201.156.9 internet router 2 dmz-firewalls rout2rle 200.201.157.17 extranet router 1 dmz-firewalls rout3fed 200.201.127.66 inner router 3 dmz-firewalls rout3fedext 200.201.152.4 extranet router 3 dmz-firewalls rout3fedext2 200.201.152.5 extranet router 3 bis dmz-firewalls rout3internet 200.201.156.1 internet router 3 dmz-firewalls rout3rle2 200.201.157.5 extranet router 2 dmz-firewalls scylla 200.201.156.143 DMZ1: AGE www.scylla.com dmz1-unix-servers servers-adsm adsm1 ADSM backup server servers-dns fw1e only DNS servers used fw3e servers-ntp admhost1 only NTP servers used admhost6 servers-rip fw1s only RIP servers used fw3s servers-smtp relay1 only SMTP servers used relay2 sidhost1 200.201.1.215 SecurId server lan-csd-inet sidhost2 200.201.1.216 SecurId backup server lan-csd-inet spoofed-addr 10.0.0.0/16 172.16.0.0/12 127.0.0.0/8 ss1 192.170.1.21 DMZ3: ss1 dmz3-admin ss2 192.170.1.22 DMZ3: ss2 dmz3-admin ss3 192.170.1.23 DMZ3: ss3 dmz3-admin ss4 192.170.1.24 DMZ3: ss4 dmz3-admin sun002 200.201.2.233 Sun terminal lan-csd-inet sunadmin 192.170.14.15 Test cluster admin station lan-csd-sys tijuana 200.201.2.134 Workstation Pierre lan-csd-sys tisane 200.201.156.142 DMZ1: www.tisane.com dmz1-unix-servers tracks0 200.201.152.51 DMZ22 tracks0 dmz-extranet tracks1 200.201.152.61 DMZ22 tracks1 dmz-extranet webdi1 200.201.156.151 www.di1.com dmz1-nt-servers webdi2 200.201.156.240 www.di2.com dmz1-nt-servers webresh 200.201.156.131 DMZ1: web server dmz1-unix-servers xyplex1a21 192.170.14.35 Xyplex 21 lan-csd-inet xyplex1a30 192.170.14.33 Xyplex 30 lan-csd-inet xyplex2a20 192.170.14.34 Xyplex 20 lan-csd-inet xyplex2a21 192.170.1.16 DMZ3: Xyplex21 dmz3-admin xyplex2a30 192.170.1.18 DMZ3: Xyplex30 dmz3-admin # ------------- -------- ------------------ -------------------------------------------------------------- ------------- # SERVICE PROTO VALUE COMMENT INCLUDED FROM # ------------- -------- ------------------ -------------------------------------------------------------- ------------- - udp 162 X11 tcp 5999><6010 adsm tcp 14000 ADSM backup port an-appli tcp #if-target(nickel, 4000) clust-rec tcp 6999><8000 ports used by ccdd daemon during a cluster reconfiguration dns-tcp tcp 53 dns-udp udp 53 ftp tcp 21 ftp-data icmp-other icmp 3 allowed ICMP-types, with logging 11 icmp-ping icmp 0 allowed ICMP-types (ping), no logging 8 ntp patrol tcp/udp 1987 port Patrol polluting-ports tcp/udp 67 ports silently blocked to avoid log pollution 137 138 139 140 1804 8500 proto-2 2 proto-tcp tcp specifies proto tcp, no port proto-udp udp specifies proto udp, no port route scmgr tcp 1097 used by java com.sun.scm.admin.server.scmgr.ClusterManager smad udp 603 Sun cluster communication smtp tcp 25 ssh tcp 22 sunrpc tcp/udp 111 unfortunately used by SunCluster sybase tcp 4100 Sybase port tcp-high-ports tcp >1024 Unprivilegied ports wu-pasv tcp 18999><20000 Passive FTP server: (and configure wu-ftp (passive ports ...)) www tcp 80 www-admin tcp 82 # --------- -------- ---------------------------- ------------- # INTERFACE VALUE COMMENT INCLUDED FROM # --------- -------- ---------------------------- ------------- allifs ifpubs All cluster interfaces ifprivs ifpriv1 qfe1 private network, interface 1 ifpriv2 qfe5 private network, interface 2 ifprivs ifpriv1 both private interfaces ifpriv2 ifpub1 qfe0 public network, interface 1 ifpub2 qfe4 public network, interface 2 ifpubs ifpub1 both NAFO0 public interfaces ifpub2 lo0 lo0 Loopback interface # RULESET PROPERTIES # Version: 1.0 # Ruleset targets: Target hostname SSH user use ipfilter ipf rules nat rules or IP address on target sudo conf dir. filename filename -------------- --------- ----- --------------- ------------ ------------ 1: nickel isba X /etc/opt/ipf ipf.conf ipnat.conf 2: chrome isba X /etc/opt/ipf ipf.conf ipnat.conf 3: # Setup infos - Ruleset comments - List of changes ... | | This ruleset protects a 2-node Sun Cluster living in a DMZ | from its potentially compromised neighbours. | All networks (public and private) are doubled. | Private networks are used by SunCluster only, for cluster | administration (heartbeats, etc) | Public networks are used for access to hosted servers: WWW, FTP, SMTP, SSH. | | Both private interfaces must have the same set of rules, | and both public interfaces must have the same set of rules, | whence the interfaces groups 'ifprivs' and 'ifpubs'. | | | ---------------- ---------------- | | nickel | | chrome | | | | | | | | | | | | | qfe1 |---------------------| qfe1 | | | | Private networks | | | | qfe5 |---------------------| qfe5 | | | | | | | | qfe0 qfe4 | | qfe0 qfe4 | | ---------------- ---------------- | | | | | | | | | | | -------+--------------------------------------+-------------- DMZ | | Public networks | | -------------+--------------------------------------+-------- |