This page describes the current CDB hierarchy used to configure the local firewall on all grid production nodes.

Top-level CDB templates and service CDB templates

There is one top-level CDB template for each grid (sub-)cluster (gridwms, gridlb, lcg_rb, gridbdii, etc.). For each (sub-)cluster, it should be named as pro_type_iptables_<(sub-)cluster name>.tpl.

Cluster Subcluster CDB template
gridwms - pro_type_iptables_gridwms.tpl
gridlb - pro_type_iptables_gridlb.tpl
lcgrb - pro_type_iptables_lcgrb.tpl
gridce lcg-CE pro_type_iptables_gridce.tpl
gridbdii - pro_type_iptables_gridbdii.tpl
gridpx - pro_type_iptables_gridpx.tpl
gridlfc - pro_type_iptables_gridlfc.tpl
gridfts - pro_type_iptables_gridlb.tpl

For each service (eg. ntp, smnp, notd, etc.), a CDB template is defined. It should be named as pro_type_iptables_rules.tpl.

Service CDB templates

  • Default iptables rules: pro_type_iptables_rules_default_preamble.tpl and pro_type_iptables_rules_default_epilogue.tpl

  • All the grid nodes should use the CDB template pro_type_iptables_rules_default_preamble.tpl which defines the default iptables rules, ie:

    • pro_type_iptables_rules_established_connection.tpl: maintaining established connections.
    • pro_type_iptables_rules_security.tpl: allow security scan from specific hosts.
    • pro_type_iptables_rules_local_loop.tpl: enable local loop.
    • pro_type_iptables_rules_icmp_ping.tpl: allow ICMP ping.
    • pro_type_iptables_rules_blacklist.tpl: blacklist some IP addresses, if any.
    • pro_type_iptables_rules_cdbserver.tpl: allow CDB servers probles.
    • pro_type_iptables_rules_smtp.tpl: enable connections from SMTP gateways.
    • pro_type_iptables_rules_dns.tpl: enable connections from DNS gateways.
    • pro_type_iptables_rules_lan_ssh.tpl: enable SSH connections from the CERN LAN.

The template pro_type_iptables_rules_default_epilogue.tpl should also be used to reject everything by default (to put at the end of the pro_type_iptables_<(sub-)cluster name>.tpl template).

Specific iptables rules: pro_type_iptables_rules_locked_ssh_<(sub-)cluster name>.tpl

This CDB template is used to authorize SSH access from some specific host (eg. lxadm nodes) and from service managers desktops/laptops only. It is useful to avoid connections from lxplus nodes for example.

Cluster specific iptables rules

cluster default_preamble_ default_epilogue locked_ssh_ notd smnp afs lemon logging ntp lb wms rtm bdii globus_port_range gridftp mds rb ce pbs myproxy gris
gridlb X X X X X X X X X X   X                  
gridwms X X X X X X X X X X X X X X X X          
lcgrb X X X X X X X X X     X   X X X X        
gridce X X X X X X X X X       X X X X   X X    
gridbdii X X X X X X X X X       X     X          
gridpx X X X X X X X X X                     X X
gridlfc X X X X X X X X X
gridfts X X X X X X X X X
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2008-01-11 - YvanCalas
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Main All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback