"Client" :: ports :: hosts =>
confLine_out (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
| "Server" :: ports :: hosts =>
- confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
+ confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "saddr" hosts, " ACCEPT;"])
+ | ["ProxiedServer", ports] =>
+ (* should this also allow access on lo? fixme: open output ports on apache node *)
+ (confLine_in (node, uname, String.concat ["saddr $WEBNODES dport ", parsePorts ports, " ACCEPT;"]);
+ (* Warning: duplicates code of Client case *)
+ List.map (fn (node, _) => confLine_out (node, uname, String.concat ["dport ", parsePorts ports, Domain.nodeIp node, " ACCEPT;"] ))
+ Config.Apache.webNodes_all; ())
| ["LocalServer", ports] =>
- confLine_in (node, uname, String.concat ["saddr $WE dport ", parsePorts ports, " ACCEPT;"])
+ confLine_in (node, uname, String.concat ["saddr 127.0.0.1/8 dport ", parsePorts ports, " ACCEPT;"])
| _ => print "Invalid config line\n";
loop ())
| _ => loop ()
TextIO.output (outf, String.concat
["mod owner uid-owner ",
Int.toString uid,
- " { goto user_",
+ " { jump user_",
uname,
suffix,
"; DROP; }\n"]);
@ ["}\n\n"]))
end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
rules
+
+ fun write_tcp_in_conf (rules, outf, suffix) =
+ (* Lame hack: can't use iptables to restrict port binding,
+ punting on SELinux &c for now and just opening every
+ port any user requests *)
+
+ let
+ in
+ TextIO.output (outf, String.concat ["@def $WEBNODES = (",
+ (String.concatWith ", " (List.map (fn (_, ip) => ip)
+ (List.filter (fn (node, _) => List.exists (fn (n) => n = node) (List.map (fn (node, _) => node) (Config.Apache.webNodes_all @ Config.Apache.webNodes_admin)))
+ Config.nodeIps))),
+ ");\n\n"]);
+ StringMap.appi (fn (uname, rules) =>
+ let
+ val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
+ val lines = filter_node_rules rules
+ in
+ TextIO.output (outf,
+ String.concat ("proto tcp {\n"
+ :: lines
+ @ ["}\n\n"]))
+ end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
+ rules
+ end
in
- write_user_tcp_conf (server_rules, users_tcp_in_conf, "_tcp_in");
+ write_tcp_in_conf (server_rules, users_tcp_in_conf, "_tcp_in");
write_user_tcp_conf (client_rules, users_tcp_out_conf, "_tcp_out");
TextIO.closeOut users_conf;