Difference between revisions of "DeveloperWiki:Dom0"

From ArchWiki
Jump to: navigation, search
(Firewall)
(Firewall)
Line 40: Line 40:
 
  git clone file:///srv/firewall.git
 
  git clone file:///srv/firewall.git
 
Make sure to commit and push all changes when copying the script to /usr/sbin. Obviously, also don't break the script.
 
Make sure to commit and push all changes when copying the script to /usr/sbin. Obviously, also don't break the script.
 +
 +
The firewall divides traffic into seven groups:
 +
 +
===Incoming traffic to dom0 (INPUT chain)===
 +
 +
The only allowed incoming traffic to dom0 is ''ssh'' access from a small set of hosts.
 +
 +
===Outgoing traffoc from dom0 (OUTPUT chain)===
 +
 +
All outgoing traffic is allowed.
 +
 +
===Incoming traffic to gerolde (FORWARD chain)===
 +
 +
Limited to ''ssh'', ''rsync'', ''smtp(s)'', developer package access and munin monitoring from Dan's server.
 +
 +
===Incoming traffic to gudrun (FORWARD chain)===
 +
 +
Limited to ''http(s)'', ''svnserve'', ''git'' and munin monitoring from Dan's server.
 +
 +
===Traffic from gudrun to gerolde (FORWARD chain)===
 +
 +
Only ''smtp(s)'', package access and NFS/portmap are allowed. All NFS server services on gerolde must use fixed ports.
 +
 +
===Outgoing traffic from gerolde (FORWARD chain)===
 +
 +
All outgoing traffic is allowed.
 +
 +
===Outgoing traffic from gudrun (FORWARD chain)===
 +
 +
Only DNS is allowed, everything else is blocked.

Revision as of 20:53, 20 September 2009


Users

UID User Primary Purpose Cronjobs Owned Directories
dale no
aaron Breaking things no
jgc no
thomas Fixing things no

Firewall

The firewall script is in /usr/sbin/firewall.sh. It is being maintained in a git repository. Clone it using

git clone file:///srv/firewall.git

Make sure to commit and push all changes when copying the script to /usr/sbin. Obviously, also don't break the script.

The firewall divides traffic into seven groups:

Incoming traffic to dom0 (INPUT chain)

The only allowed incoming traffic to dom0 is ssh access from a small set of hosts.

Outgoing traffoc from dom0 (OUTPUT chain)

All outgoing traffic is allowed.

Incoming traffic to gerolde (FORWARD chain)

Limited to ssh, rsync, smtp(s), developer package access and munin monitoring from Dan's server.

Incoming traffic to gudrun (FORWARD chain)

Limited to http(s), svnserve, git and munin monitoring from Dan's server.

Traffic from gudrun to gerolde (FORWARD chain)

Only smtp(s), package access and NFS/portmap are allowed. All NFS server services on gerolde must use fixed ports.

Outgoing traffic from gerolde (FORWARD chain)

All outgoing traffic is allowed.

Outgoing traffic from gudrun (FORWARD chain)

Only DNS is allowed, everything else is blocked.