Limit Remote Network Access

Language:

There are several ways that you can limit remote network access on the storage servers. You can restrict Inbound network access to the storage server by implementing a top-down filtering rule set that defines access by user account and origin. You can also define a custom rule set to allow or deny access according to U.S. Department of Defense and PCI-DSS requirements.

Caution - Use caution when implementing nondefault policies to ensure that access to the system is not interrupted. When you add new individual rules, the changes take effect immediately.

To implement a rule set, perform this procedure.

Log into the storage server as celladmin.
See Log into the Storage Server OS.

Examine the active rule set.

# /opt/oracle.cellos/host_access_control access --status

Export the current rule set to a file and save it as a backup copy.
This command exports the rule set to an ASCII text file:
```
# /opt/oracle.cellos/host_access_control access-export --file filename
```

Configure the rule set by performing one or more of these commands, based on the method you want to use to create the rule set:
- Implement an open rule set that removes inbound network restrictions.
```
# /opt/oracle.cellos/host_access_control access --open
```
- Implement a closed rule set that only permits inbound access using SSH.
```
# /opt/oracle.cellos/host_access_control access --close
```
- Modify the existing rule set.
  Export the current rule set to an ASCII text file:
```
# /opt/oracle.cellos/host_access_control access-export --file filename
```
  Use an editor to edit the text file to configure the rule set.
  
  Import the rule set from the text file, overriding the existing rule set:
```
# /opt/oracle.cellos/host_access_control access-import --file filename
```
- Add specific rules individually.
  This method includes allowing and denying access based on these parameters:
  - Username – Valid values include either the keyword all or one or more valid, local account user names.
  - Origin – Valid values include either the keyword all or individual entries that describe the source of system access including from the console, virtual console, Oracle ILOM, IP address, network address, host name, or DNS domain.
  In this example, access to the storage server is granted to the celladmin user when the connection is initiated from the trustedhost.example.orghost, or any host within the .trusted.example.com domain.
```
# /opt/oracle.cellos/host_access_control access --add --user celladmin \
--origins trustedhost.example.org,.trusted.example.com
```