1. Administrator's Guide
  2. Firewall Security Option
  3. Firewall-Secure Configuration

Firewall-Secure Configuration

The following requires that you are knowledgeable regarding configuring the network firewall behind which ACSLS resides. ALL firewalls are “third-party" software, and will have varying details regarding setting them up correctly for protecting your network environment. The following is not meant to be a recommendation of firewall security policy, but rather, a set of helpful instructions for what the firewall must / can do regarding the ACSLS product, only. See your System Administrator for other security details.

Here is a list of details for setting up your firewall for the ACSLS platform:

  • Put in place an overall rule to disallow UDP incoming and outgoing connections.

  • Put in place an overall rule to disallow TCP incoming connections (TCP outgoing connections must remain open).

  • Put in place a specific rule to allow incoming TCP connections on the port which you specified for the ACSLS usage. IMPORTANT: This port must match the one you configured under acsss_config, or you will receive no client communications at the ACSLS server.

If all of your clients have implemented the firewall-secure feature and make no queries to the ACSLS platform's portmapper, you are done. If the clients still make use of that portmapper on the ACSLS platform, you must add the following:

  • Put in place a specific rule to allow incoming and outgoing connections on the well-known portmapper TCP and UDP port 111.

Example:

The following is an example of the rules which were put in place for an iptables-based firewall in order to put all of the above rules in place.

Note:

These are in addition to other rules configured for the specific firewall. 
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# These rules allow client access to the portmapper
$IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 111 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF --dport 111    -j ACCEPT
# These rules allow client access to the ACSLS CSI for network communication
# Note: This assumes that the CSI firewall-secure port was specified as 30031
$IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 30031 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
$IPTABLES -A FORWARD -j drop-and-log-it