MirrorACLRequirements

Jason Fesler edited this page Nov 5, 2016 · 2 revisions

Introduction

This documents what it takes to run a full mirror, in terms of ACLs.

MACROS

Name Description
$SERVER IP address(es) of the mirror site(s)
$JFESLER 216.218.228.112/28 ; 2001:470:1:18::/64 ; 2001:470:1f05:479::/64

$JFESLER acls are only needed, if jfesler is being given operational control. This will permit publishing code updates as part of standard test-ipv6.com deployments.

INBOUND

SERVER APPS

Rule Description
permit tcp4 from any to $SERVER 80 HTTP serving
permit tcp6 from any to $SERVER 80 HTTP serving
permit tcp4 from $JFESLER to $SERVER 22 SSH administration
permit tcp4 from $JFESLER to $SERVER 22 SSH administration
permit udp6 from any to $SERVER 53 DNS serving
permit icmp from any to $SERVER ICMP
permit icmp6 from any to $SERVER ICMPv6

CLIENT APPS

Rule Description
permit tcp4 from any to any tcp-established wget, rsync, etc clients
permit tcp6 from any to any tcp-established wget, rsync, etc clients
permit udp4 from $SERVER 53 to any 1023+ DNS client ; can alternately point to existing DNS resolvers
permit udp6 from $SERVER 53 to any 1023+ DNS client ; can alternately point to existing DNS resolvers

OUTBOUND

SERVER APPS

Rule Description
permit tcp4 from $SERVER 80 to any HTTP
permit tcp6 from $SERVER 80 to any HTTP
permit tcp4 from $SERVER 22 to any SSH administration
permit tcp6 from $SERVER 22 to any SSH administration
permit udp6 from $SERVER 53 to any DNS auth for "v6ns" test
permit icmp fro $SERVER to any ICMP
permit icmp6 from $SERVER to any ICMPv6; in particular MUST allow type 2 packet-too-big

CLIENT APPS

Rule Description
permit tcp4 from $SERVER to any wget, rsync etc clients
permit tcp6 from $SERVER to any wget, rsync etc clients
permit udp4 from $SERVER 1023+ to any 53 DNS client; can alternately point to existing dns resolvers
permit udp6 from $GSERVER 1023+ to any 53 DNS client; can alternately point to existing dns resolvers