Introduction
Firewalls limit traffic allowing only expected traffic. Firewalls also prevent command and control channels on exploited services. This page describes the procedures required to change firewall rules.
Types of Firewalls
In CAcert there are two types of firewall rules. First is those managed by Tunix. Second is host based firewall rules.
Tunix Firewall Rules
Tunix rules are the outer most set of firewall rules on CAcert's infrastructure. They permit allowed traffic on external IP addresses into the internal IP addresses. Tunix outbound firewalls rules allow HTTP and HTTPS by default and other traffic as requested.
Change Procedure
Tunix firewall rules are controlled through the Team Leader of the Critical Systems Administration Team (firewall-external-admin@cacert.org).
Host Firewall Rules
Non-critical infrastructure services are generally on the sun2 physical server. As vserver virtualisation technology is currently used IP rules are not on the virtual hosts but on the physical host.
The Sun2 server has a restrictive set of firewall rules that limit all incoming and outgoing traffic on the server. Incoming firewall rules will be allowed for tested services. Outgoing firewall rules should be limited by IP *and* port with few exceptions.
Change Procedure
To change a Sun2 (or Sun1) firewall rule email firewall-local-admin@cacert.org with the request.