On Wed, Sep 01, 2004 at 01:44:46PM -0700 or thereabouts, Rod Walker wrote:
> Hi,
> In order to reduce the chances of WestGrid WN's launching a DOS attack
> on the Bank of Canada, the sysadmin wants to limit the outbound
> connections to LCG domains. My problem is defining this list in such a
> way that it will not change daily, but give maximum peace of mind to the
> sysadmins.
> Now I can build a list of SE's, RB's, webservers, Db's that a WN would
> possibly want to talk to. I`ll swallow the fact that this will change
> and experiment/users scripts can do anything at all.
>
> In turning this list into a firewall configuration, one must decide what
> the netmask is. I`m trying to allow small changes like adding nodes, or
> moving offices, but not new sites.
> -Adding just the specific node ip is not useful, as then adding an SE to
> the same subnet would require a firewall change.
> -Adding with netmask /24 would mean that all nodes in a subnet are
> accessible. This would only break when the subnet changes, but this can
> happen when switching offices for example.
> -Adding with netmask /16 would cover changes of subnets but might
> include some chemists machines. It is this that prevents our sysadmin
> from sleeping.
>
> So what is needed is a list of LCG networks together with their
> netmasks. Such a list would be useful for in and out firewalls, and if
> presented in an updated cut'n'paste iptables form, all the better.
> Although I argued the "open everything" line, sooner or later a users
> credentials will be maliciously used, and the firewall is the last best
> hope against DOS lawsuits.
Hi Rod,
You can pick up the network blocks with whois.
eg,
whois -h whois.arin.net 131.111.8.46
which returns amongst other things
inetnum: 131.111.0.0 - 131.111.255.255
which happens to be the address space of Cambridge Uni
You can send flags as well to the whois server
whois -h whois.arin.net -- -n 131.111.8.46
and then the details are slightly more condense.
Arin here in principal covers the N America and Southern Africa
though in reality it will probably contain all the hosts you
are likely to find in LCG. I don't understand what hosts are in there.
There is a list of other RIPE whois servers here and the areas
they cover.
http://www.ripe.net/nicdb.html#correctdb
However be warned that each server takes different flags after
the '--' and produces different output
There is a Net::Whois perl module by the way that 'may' abstract
you from this inconsistency but I've never tried it.
Just checked with lcgce02.triumf.ca and I see you are
142.90.0.0 - 142.90.255.255 hopefully.
Incidentally I think this is a good idea.
Steve
>
> Cheers,
> Rod.
>
> --
> Rod Walker +1 6042913051
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|