Differences
This shows you the differences between two versions of the page.
computer_stuff:chem_firewall [2013/08/06 15:42] Michael Torrie [Access Controls Rules] |
computer_stuff:chem_firewall [2013/08/06 16:09] (current) Michael Torrie [Access Controls Rules] |
||
---|---|---|---|
Line 337: | Line 337: | ||
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps | ||
</code> | </code> | ||
+ | Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host: | ||
<code> | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432 | ||
Line 342: | Line 343: | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432 | ||
+ | </code> | ||
+ | Allow mail-ext1 to access https on secure.chem.byu.edu: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https | ||
+ | </code> | ||
+ | DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3). Should be removed: | ||
+ | <code> | ||
access-list dmz_in extended permit udp any host 192.168.105.50 eq 88 | access-list dmz_in extended permit udp any host 192.168.105.50 eq 88 | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88 | access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88 | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap | access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps | ||
+ | </code> | ||
+ | Allows mail-ext1 to access tcp port 2703 on any trusted host... not sure why: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703 | access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703 | ||
+ | </code> | ||
+ | Obsolete entry for www-old and tomcat again: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181 | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?). | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181 | ||
+ | </code> | ||
+ | Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081 | ||
+ | </code> | ||
+ | Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0... No clue why this is in here. I'd say remove: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh | ||
+ | </code> | ||
+ | Remove reference to obsolete host: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222 | access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222 | ||
+ | </code> | ||
+ | Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https. | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306 | ||
- | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https | + | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https |
+ | </code> | ||
+ | Allow mail-ext1 to access mail-related ports on mail-int: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993 | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to access mail-related ports on mail-int. This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail. | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993 | ||
- | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp | + | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp |
+ | </code> | ||
+ | Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh | ||
+ | </code> | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain | access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain | ||
access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain | access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain |