MirrorACLRequirements

Introduction

This documents what it takes to run a full mirror, in terms of ACLs.

MACROS

Name	Description
$SERVER	IP address(es) of the mirror site(s)
$JFESLER	216.218.228.112/28 ; 216.218.223.248/28; 2001:470:1:18::/64 ; 2001:470:1f05:479::/64

$JFESLER acls are only needed, if jfesler is being given operational control. This will permit publishing code updates as part of standard test-ipv6.com deployments.

INBOUND

SERVER APPS

Rule	Description
permit tcp4 from any to $SERVER 80	HTTP serving
permit tcp6 from any to $SERVER 80	HTTP serving
permit tcp4 from $JFESLER to $SERVER 22	SSH administration
permit tcp4 from $JFESLER to $SERVER 22	SSH administration
permit udp6 from any to $SERVER 53	DNS serving
permit icmp from any to $SERVER	ICMP
permit icmp6 from any to $SERVER	ICMPv6

CLIENT APPS

Rule	Description
permit tcp4 from any to any tcp-established	wget, rsync, etc clients
permit tcp6 from any to any tcp-established	wget, rsync, etc clients
permit udp4 from $SERVER 53 to any 1023+	DNS client ; can alternately point to existing DNS resolvers
permit udp6 from $SERVER 53 to any 1023+	DNS client ; can alternately point to existing DNS resolvers

OUTBOUND

SERVER APPS

Rule	Description
permit tcp4 from $SERVER 80 to any	HTTP
permit tcp6 from $SERVER 80 to any	HTTP
permit tcp4 from $SERVER 22 to any	SSH administration
permit tcp6 from $SERVER 22 to any	SSH administration
permit udp6 from $SERVER 53 to any	DNS auth for "v6ns" test
permit icmp fro $SERVER to any	ICMP
permit icmp6 from $SERVER to any	ICMPv6; in particular MUST allow type 2 packet-too-big

CLIENT APPS

Rule	Description
permit tcp4 from $SERVER to any	wget, rsync etc clients
permit tcp6 from $SERVER to any	wget, rsync etc clients
permit udp4 from $SERVER 1023+ to any 53	DNS client; can alternately point to existing dns resolvers
permit udp6 from $GSERVER 1023+ to any 53	DNS client; can alternately point to existing dns resolvers