[#INSTRM-348] All firewall protection to be moved to Subaru routers.

[INSTRM-348] All firewall protection to be moved to Subaru routers. Created: 01/May/18 Updated: 07/Nov/19 Resolved: 07/Nov/19
Status:	Done
Project:	Instrument control development
Component/s:	ics_production
Affects Version/s:	None
Fix Version/s:	None

Type:

Task

Priority:

Normal

Reporter:

cloomis

Assignee:

Yoshida, Hiroshige

Resolution:

Done

Votes:

Labels:

subaru-personnel

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Description

After discussion at the end of the MCS commissioning, we agreed to move all packet/traffic filtering to the Subaru network gear, and to remove iptables from but the physical and the virtual machines. The primary argument is that all filtering should be done in one place, where it is obvious what the effective rules are and who is responsible for them.

The rough idea is:

allow Gen2 and ftp traffic from "Gen2" machines to VMs on two physical PFS machines. Operational redundancy comes from that.
allow ssh connections to the top-level PFS machines: "mcs", "shell", others as they come up.
default deny

The work is scheduled for the week immediately following the 2018-06 engineering run, and will be done or managed by Subaru CDM.

Comments

Comment by cloomis [ 07/Nov/19 ]

This was done between the two MCS runs.

Generated at Sat Feb 10 16:24:04 JST 2024 using Jira 8.3.4#803005-sha1:1f96e09b3c60279a408a2ae47be3c745f571388b.

[INSTRM-348] All firewall protection to be moved to Subaru routers. Created: 01/May/18 Updated: 07/Nov/19 Resolved: 07/Nov/19