/etc/rc.d/firewall.ipchainson the front end server. The firewall is a kernel level packet filter that can block or allow arbitrary ports of all or selected protocols (tcp, udp, icmp) in either inbound or outbound.
By default it is set up so that there is no restriction between the compute
nodes and the front end server. Anti spoofing rejects packets from
the external IP address or local loopback coming in through the external ethercard.
Additionally the compute nodes are masqueraded as the front end server which means that all the
compute nodes can talk to the external network but the external network has no route to the internal
network. The default settings are to allow Secure Shell logins on port 22, and udp connections
from nominated name servers on port 53. This provides a high degree of security from network
attacks.
The firewall script is started before the network when the front end server is booted
using the boot script /etc/rc.d/init.d/ipchains .
This means that all IP and networks must be specified as numbers rather than names, otherwise
the script will hang waiting for name resolution.
The script has 2 sections: a configuration section where networks and services are specified,
and a execution section containing script loops which build the firewall rules. In most
cases you will only want to change the configuration section.
IP addresses can be specified with a bit mask. E.g
192.168.0.0/16- which is equivalent to 192.168.0.0 with a netmask 255.255.0.0 which means every IP address of the form 192.168.x.y.
For example you might have these defaults:
SUBNET="192.168.0.0/16" GOODNETS="$SUBNET" INTERNAL="192.168.0.0/16" NFSCLIENTS= NFSSERVERS="" NAMESERVERS="194.119.131.65 194.119.131.66 129.67.1.1 129.67.1.180 194.73.73.94 194.73.73.95" MASQHOSTS="$INTERNAL" TIMESERVERS="163.1.88.222 163.1.88.221 163.1.88.211"To add external NFS servers or NIS services you need to add a list of IP addresses to the NFSSERVERS variable. If you have a new service then you need to find which port it comes in on and add an appropriate loop using the syntax of the existing lines as a guide.
Any time you change the firewall script you need to restart it using
/etc/rc.d/init.d/ipchains startor just rerun the script
/etc/rc.d/firewall.ipchainsTo turn the firewall off completely (in case of emergency) use
/etc/rc.d/init.d/ipchains stopor
/etc/rc.d/firewall.ipchains off