Differences
This shows you the differences between two versions of the page.
computer_stuff:chem_firewall [2013/08/06 15:11] Michael Torrie [Access Controls Rules] |
computer_stuff:chem_firewall [2013/08/06 16:09] (current) Michael Torrie [Access Controls Rules] |
||
---|---|---|---|
Line 218: | Line 218: | ||
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq https | access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq https | ||
</code> | </code> | ||
- | The following rule is obsolete too. It allowed a sysadmin to tunnel vnc through purgatory to the old Mac OS X Server celeborn which was on port 5900. | + | The following rule is obsolete too. It allowed a sysadmin to tunnel vnc through purgatory to the old Mac OS X Server celeborn which was on port 5900: |
<code> | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.105.36 eq 5900 | access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.105.36 eq 5900 | ||
Line 241: | Line 241: | ||
access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldaps | ||
</code> | </code> | ||
- | Since DMZ hosts are not allowed to access the internet (though I'm unclear as to how this block was accompished!), any updates with yum have to be done through the squid http proxy on admin: | + | Since DMZ hosts are not allowed to access the internet (though I'm unclear as to how this block was accompished!), any updates with yum and redhat's update network have to be done through the squid http proxy on admin, so dmz hosts need access to squid. Note that this is a potential security problem, but at the time I deemed it an acceptable risk: |
<code> | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.12 eq 3128 | access-list dmz_in extended permit tcp any host 192.168.105.12 eq 3128 | ||
</code> | </code> | ||
+ | mail-ext1 needs access to sql server(s). Currently only 192.168.105.19 is in use I think: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 3306 | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to access information on admin.chem.byu.edu via https (proxying), sql, the web server on the internal mail server (for the purpose of controlling the mailing list, spam stuff, etc). Any references to 192.168.105.18 (sql-old) can be removed. I notice that Garrett has already made some of them inactive, which is a good idea: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq https | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq https | ||
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq https inactive | access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq https inactive | ||
Line 265: | Line 270: | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8080 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8080 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8081 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8081 | ||
+ | </code> | ||
+ | Another obsolete line for www-old, which is dead: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8081 | access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8081 | ||
- | access-list dmz_in extended permit icmp any any | + | </code> |
+ | Allow the DMZ hosts to ping anything in or out: | ||
+ | <code> | ||
+ | access-list dmz_in extended permit icmp any any | ||
+ | </code> | ||
+ | Allow mail-ext1 to reach any internal smtp server, DNS, the auth ident port (113) on any trusted computer: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 any eq smtp | access-list dmz_in extended permit tcp host 192.168.200.10 any eq smtp | ||
access-list dmz_in extended permit tcp host 192.168.200.10 any eq domain | access-list dmz_in extended permit tcp host 192.168.200.10 any eq domain | ||
Line 272: | Line 286: | ||
access-list dmz_in extended permit udp host 192.168.200.10 any eq 113 | access-list dmz_in extended permit udp host 192.168.200.10 any eq 113 | ||
access-list dmz_in extended permit udp host 192.168.200.10 any eq domain | access-list dmz_in extended permit udp host 192.168.200.10 any eq domain | ||
+ | </code> | ||
+ | Allow purgatory to ssh, ftp into any BYU machine, on its private or public network. Not sure what port 8500 is: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ftp | access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ftp | ||
Line 277: | Line 294: | ||
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ftp | access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ftp | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to proxy web data from secure.chem.byu.edu: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq www | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq www | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq https | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq https | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8080 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8080 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8180 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8180 | ||
+ | </code> | ||
+ | Allow any DMZ host to access LDAP: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldap | access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldap | ||
access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldaps | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to ssh into admin. Not sure about this rule. It's possible that the code that generates door cards for faculty requires an ssh connection into admin to run inkscape to generate the pdf: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq ssh | ||
+ | </code> | ||
+ | Allow any dmz host access to ldap at a host that no longer exists. This line can be removed: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldap | access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldap | ||
- | access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldaps | + | access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldaps |
+ | </code> | ||
+ | Allow any dmz host access to kerberos. However this ip address (an alias for ns1) does not run a kerberos server; it's on admin. So this rule can be removed: | ||
+ | <code> | ||
access-list dmz_in extended permit udp any host 192.168.105.36 eq 88 | access-list dmz_in extended permit udp any host 192.168.105.36 eq 88 | ||
+ | </code> | ||
+ | Allow www to access web servers on secure.chem.byu.edu and pchem-server | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8081 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8081 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8009 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8009 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.75 eq www | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.75 eq www | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8010 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8010 | ||
+ | </code> | ||
+ | Allow DMZ hosts to access backup ldap server, which is on printqueue | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldap | access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldap | ||
access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldaps | ||
+ | </code> | ||
+ | Allow DMZhosts to access LDAP on 101.150, which may have been the old n175-serv file server. In any case, this address is not pinging and I believe that these entries can be removed: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldap | access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldap | ||
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps | ||
+ | </code> | ||
+ | Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432 | ||
+ | </code> | ||
+ | Allow mail-ext1 to access https on secure.chem.byu.edu: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https | ||
+ | </code> | ||
+ | DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3). Should be removed: | ||
+ | <code> | ||
access-list dmz_in extended permit udp any host 192.168.105.50 eq 88 | access-list dmz_in extended permit udp any host 192.168.105.50 eq 88 | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88 | access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88 | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap | access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap | ||
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps | access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps | ||
+ | </code> | ||
+ | Allows mail-ext1 to access tcp port 2703 on any trusted host... not sure why: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703 | access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703 | ||
+ | </code> | ||
+ | Obsolete entry for www-old and tomcat again: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181 | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?). | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181 | ||
+ | </code> | ||
+ | Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081 | ||
+ | </code> | ||
+ | Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0... No clue why this is in here. I'd say remove: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh | ||
access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh | ||
+ | </code> | ||
+ | Remove reference to obsolete host: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222 | access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222 | ||
+ | </code> | ||
+ | Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https. | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306 | ||
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306 | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306 | ||
- | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https | + | access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https |
+ | </code> | ||
+ | Allow mail-ext1 to access mail-related ports on mail-int: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995 | ||
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993 | access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993 | ||
+ | </code> | ||
+ | Allow www.chem.byu.edu to access mail-related ports on mail-int. This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail. | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995 | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993 | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993 | ||
- | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp | + | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp |
+ | </code> | ||
+ | Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization: | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh | access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh | ||
+ | </code> | ||
+ | <code> | ||
access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain | access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain | ||
access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain | access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain |