Closed cdeboever3 closed 8 years ago
Sounds reasonable. Currently there is no firewall on the external side of the head nodes. Its exposed. So we should probably limit that to some subnet of items really needed for external use. But 7777/tcp sounds fine.
I need two ports for two of Python web servers on flh1, they access to MySQL. The number could be 7777 and 7776, or whatever's fine. Chris, I don't think IPython uses a lot of memory, but do you think it will be better on flh2, separated from mines?
You can use whichever ports you'd like, I'll just take something that is unused for my notebooks. I can run the notebooks on flh2 but I don't think we'll stress the nodes either way. It's easy to switch nodes if need be.
On Fri, Oct 30, 2015 at 2:23 PM, hirokomatsui notifications@github.com wrote:
I need two ports for two of Python web servers on flh1, they access to MySQL. The number could be 7777 and 7776, or whatever's fine. Chris, I don't think IPython uses a lot of memory, but do you think it will be better on flh2, separated from mines?
— Reply to this email directly or view it on GitHub https://github.com/frazer-lab/cluster/issues/12#issuecomment-152654574.
OK, then can we open four ports, 7776-7779, on flh1.
You can currently open whatever ports you would like ;) There is no firewall so be careful. When we get a bit further along we should setup iptables with the finalized selection of ports.
Leaving this open for when we firewall the external interfaces. Probably soon.
A prototype for an iptables ruleset that allows the items listed above but generically protects the system from non-UCSD access is being slowly added to head node 2. It will not block anything at first. Just keep track of the rule matches. No changes to head node 1 yet.
Head node 2 will move to a blocking iptables config for external interfaces shortly. After a period of that running I will attempt the same rules on Head node 1. They are currently very open to UCSD ranges with a permit any to the world for SSH.
Per call 7700/tcp - 7799/tcp
I am ready to test HN2 with a deny at the end of the iptables. Been waiting for a good week to monitor. Just advise if not a good week for the final firewall add to the head nodes.
The deny rule was added to the end of the iptables on HN2 external this morning.
The ruleset is basically:
Allow SSH from anywhere (denyhosts provided brute force protection) Allow the iPython notebook port range of 7700-7799 from anywhere Allow on campus IP ranges to anything (a placeholder and could be changed) Deny the rest.
Advise if anything you were doing to HN2 is now not possible and we'll review the ruleset.
I would like to apply the same ruleset to the HN1 system shortly.
Can we open up ports for mosh from anywhere?
mosh did not make a successful connection to 169.228.63.175:60001.
Please verify that UDP port 60001 is not firewalled and can reach the server.
(By default, mosh uses a UDP port between 60000 and 61000. The -p option
selects a specific UDP port number.)
See if I did that right. Added.
Yep that works thanks.
On Tue, Dec 8, 2015 at 8:36 AM, tatarsky notifications@github.com wrote:
See if I did that right. Added.
— Reply to this email directly or view it on GitHub https://github.com/frazer-lab/cluster/issues/12#issuecomment-162938679.
Saved. Working on a log only version for HN01.
Conceptual one without end deny on HN01. Monitoring it. May attempt soon.
Unless I hear by say 1:00PM (your time) or so to give people time I will finish the HN01 firewall with a deny line at the end and we can adjust for anything missed. The final breakdown for inbound allows (all outbound is allowed)
Alllow the mosh ports 60000-61000 udp from anywhere
Allow the chosen ipython notebook ports 7700-7799 tcp from anywhere
Allow 22 tcp (SSH) from anywhere
Allow 80 tcp (HTTP) from anywhere
Allow oncampus access to any service from the ranges 132.249.0.0/16 and 137.110.0.0/16.
The above is a place holder we may decide we don't want.
Deny the rest.
I got overloaded and did not add the deny line last week. I have added it this morning. Please advise if other allows are needed.
I believe this is resolved. If going forward you find a service you need blocked to either head node from the campus networks or "the world" please open an issue describing as best possible the ports and protocols required or networks.
Once we have a web server running on the head nodes, can we open two ports for David and I to test setting up Jupyter/IPython notebooks? I was generally using ports around 7777 in the past but can use anything. The set up details for the notebook server are here.