From ArchWiki
Jump to: navigation, search


UID User Primary Purpose Cronjobs Owned Directories
dale Emergency access from the console no
aaron Overlord stuff no
jgc Xen maintenance no
thomas Firewall maintenance no


The firewall script is in /usr/sbin/ It is being maintained in a git repository. Clone it using

git clone file:///srv/firewall.git

Make sure to commit and push all changes when copying the script to /usr/sbin. Obviously, also don't break the script.

The firewall divides traffic into seven groups:

Incoming traffic to dom0 (INPUT chain)

The only allowed incoming traffic to dom0 is ssh access from a small set of hosts.

Outgoing traffoc from dom0 (OUTPUT chain)

All outgoing traffic is allowed.

Incoming traffic to gerolde (FORWARD chain)

Limited to ssh, rsync, smtp(s), developer package access and munin monitoring from Dan's server.

Incoming traffic to gudrun (FORWARD chain)

Limited to http(s), svnserve, git and munin monitoring from Dan's server.

Traffic from gudrun to gerolde (FORWARD chain)

Only smtp(s), package access and NFS/portmap are allowed. All NFS server services on gerolde must use fixed ports.

Outgoing traffic from gerolde (FORWARD chain)

All outgoing traffic is allowed.

Outgoing traffic from gudrun (FORWARD chain)

Only DNS is allowed, everything else is blocked.