Introduction

Firewalls limit traffic allowing only expected traffic. Firewalls also prevent command and control channels on exploited services. This page describes the procedures required to change firewall rules.

Types of Firewalls

In CAcert there are two types of firewall rules. First is those managed by Tunix. Second is host based firewall rules.

Tunix Firewall Rules

Tunix rules are the outer most set of firewall rules on CAcert's infrastructure. They permit allowed traffic on external IP addresses into the internal IP addresses. Tunix outbound firewalls rules allow HTTP and HTTPS by default and other traffic as requested.

Change Procedure

Tunix firewall rules are controlled through the Team Leader of the Critical Systems Administration Team (firewall-external-admin@cacert.org).

Host Firewall Rules

Non-critical infrastructure services are generally on the sun2 physical server. As vserver virtualisation technology is currently used IP rules are not on the virtual hosts but on the physical host.

The Sun2 server has a restrictive set of firewall rules that limit all incoming and outgoing traffic on the server. Incoming firewall rules will be allowed for tested services. Outgoing firewall rules should be limited by IP *and* port with few exceptions.

Change Procedure

To change a Sun2 (or Sun1) firewall rule email firewall-local-admin@cacert.org with the request.


CategoryProcedures

SystemAdministration/Procedures/FirewallChanges (last edited 2009-09-23 08:05:14 by DanielBlack)