Michael Torrie's Personal Wiki

You are here: start » computer_stuff » chem_firewall

Differences

This shows you the differences between two versions of the page.

--- computer_stuff:chem_firewall [2013/08/06 15:42]
Michael Torrie [Access Controls Rules]
+++ computer_stuff:chem_firewall [2013/08/06 16:09] (current)
Michael Torrie [Access Controls Rules]
@@ Line 337: / Line 337: @@
 access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps
 </code>
+Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host:
 <code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432
@@ Line 342: / Line 343: @@
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432
+</code>
+Allow mail-ext1 to access https on secure.chem.byu.edu:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https
+</code>
+DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3).  Should be removed:
+<code>
 access-list dmz_in extended permit udp any host 192.168.105.50 eq 88
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps
+</code>
+Allows mail-ext1 to access tcp port 2703 on any trusted host... not sure why:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703
+</code>
+Obsolete entry for www-old and tomcat again:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181
+</code>
+Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?).
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181
+</code>
+Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081
+</code>
+Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0...  No clue why this is in here.  I'd say remove:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh
+</code>
+Remove reference to obsolete host:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222
+</code>
+Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https.
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https
+</code>
+Allow mail-ext1 to access mail-related ports on mail-int:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993
+</code>
+Allow www.chem.byu.edu to access mail-related ports on mail-int.  This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail.
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp
+</code>
+Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh
+</code>
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain
 access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain

Trace:

Michael Torrie's Personal Wiki

Differences

Navigation

Search

Toolbox

QR Code