"Client" :: ports :: hosts =>
confLine_out (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
| "Server" :: ports :: hosts =>
- confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
+ confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "saddr" hosts, " ACCEPT;"])
+ | ["ProxiedServer", ports] =>
+ (* should this also allow access on lo? fixme: open output ports on apache node *)
+ confLine_in (node, uname, String.concat ["saddr $WEBNODES dport ", parsePorts ports, " ACCEPT;"])
| ["LocalServer", ports] =>
- confLine_in (node, uname, String.concat ["saddr $WE dport ", parsePorts ports, " ACCEPT;"])
+ confLine_in (node, uname, String.concat ["saddr 127.0.0.1/8 dport ", parsePorts ports, " ACCEPT;"])
| _ => print "Invalid config line\n";
loop ())
| _ => loop ()
@ ["}\n\n"]))
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
rules
+
+ fun write_tcp_in_conf (rules, outf, suffix) =
+ (* Lame hack: can't use iptables to restrict port binding,
+ punting on SELinux &c for now and just opening every
+ port any user requests *)
+
+ let
+ in
+ TextIO.output (outf, String.concat ["@def $WEBNODES = (",
+ (String.concatWith ", " (List.map (fn (_, ip) => ip)
+ (List.filter (fn (node, _) => List.exists (fn (n) => n = node) (List.map (fn (node, _) => node) (Config.Apache.webNodes_all @ Config.Apache.webNodes_admin)))
+ Config.nodeIps))),
+ ");\n\n"]);
+ StringMap.appi (fn (uname, rules) =>
+ let
+ val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
+ val lines = filter_node_rules rules
+ in
+ TextIO.output (outf,
+ String.concat ("proto tcp {\n"
+ :: lines
+ @ ["}\n\n"]))
+ end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
+ rules
+ end
in
- write_user_tcp_conf (server_rules, users_tcp_in_conf, "_tcp_in");
+ write_tcp_in_conf (server_rules, users_tcp_in_conf, "_tcp_in");
write_user_tcp_conf (client_rules, users_tcp_out_conf, "_tcp_out");
TextIO.closeOut users_conf;