GD group Firewall requests
The standard procedure to request one or more ports to be accessible from the outside or from the LAN is the following. It only applies to non-Quattor GD machines.
Local firewall (access from the CERN LAN)
The local firewall on the system must firstly be configured to enable external or LAN access to the port(s). For test machines, this can be done manually.
For production machines, the hosts are using
lcg-fw, which is installed by default on GD systems. The default
lcg-fw configuration is to only offer SSH access to the CERN LAN, but all outgoing connections are permitted.
In order to change the firewall template that has been allocated to a node, you can contact
gd-security-services@cernNOSPAMPLEASE.ch by specifying what type of service your host will be providing. An updated template will be issued and automatically installed on the node (providing its runs
lcg-fw).
If you attempt to manually change the firewall rules on a node running
lcg-fw, the registered profile will be re-installed the next time the hourly cron job is run.
If you wish to make a temporary change, you can either:
- Contact gd-security-services@cernNOSPAMPLEASE.ch to change temporarily the firewall template
- Deprecated: you can change the local rules by suspending the update of the firewall template. This can be done by issuing the following command on the node:
chmod -x /etc/cron.hourly/firewall.cron
Please consult instructions
here for more information.
The local firewall status of GD machines is visible at
https://lcg-fw.cern.ch/public/.
Site firewall
Site firewall changes in GD are managed by different service managers:
- Yvan Calas for the PROD
- Antonio Retico for the PPS
- Louis Poncet for the TB
- Romain Wartel for non-standard requests.
In order to enable incoming access to a service on a GD host, the responsible service manager of the relevant group (PROD, PPS, TB) needs to be contacted.
Alternatively, an email can be sent to
gd-firewall@cernNOSPAMPLEASE.ch, and will be picked up by the relevant service manager.
These service managers are responsible to ensure that:
- The host runs the GD security tools (lcg-fw, gd-auth) and is correctly associated with a nominated contact
- The host is patched automatically
- The host runs standard services that precisely match the description of an existing Set (RB, CE, etc.)
- No unused network service is running on the host
It is also recommended that these service managers ask
Computer.Security@cernNOSPAMPLEASE.ch to run a security scan against the host and seek for advice, but service managers remains responsible for enabling (or not) incoming access to the host.
Help
Do not hesitate to contact
Romain Wartel to:
- discuss in advance potential issues with a particular firewall request
- seek for help to define your firewall requirements (ex: what ports do I need to request to enable my gLite CE to be reachable from the outside?).
-- Romain Wartel - 27 Nov 2006