Reconfigurable Firewall: Difference between revisions

From Grid5000
Jump to navigation Jump to search
(add a TLDR intro)
Line 1: Line 1:
= Quick overview =
= Quick overview =


Allowing initiating network connections from outside to inside Grid5000 is possible. You need to fully reserve some node(s) (not possible on shared nodes), activate IPv6 on these node(s), then issue some request to the firewall API. You can jump to the [[#Example usage]] section if you want to skip the detailed explanation and directly see how to do that.
Allowing initiating network connections from outside to inside Grid5000 is possible. You need to reserve some node(s), activate IPv6 on these node(s), then issue some request to the firewall API to open the firewall for these node(s). You can jump to the [[#Example usage]] section if you want to skip the detailed explanation and directly see how to do that.


= Background =
= Background =

Revision as of 10:24, 31 August 2021

Quick overview

Allowing initiating network connections from outside to inside Grid5000 is possible. You need to reserve some node(s), activate IPv6 on these node(s), then issue some request to the firewall API to open the firewall for these node(s). You can jump to the #Example usage section if you want to skip the detailed explanation and directly see how to do that.

Background

In IPv4, all communications from inside Grid'5000 to the outside internet are NATed to the single public IP address of Grid'5000. It is possible to initiate a network connection from inside Grid'5000 to the outside internet and the connection tracking of the Grid'5000 firewalls will allow the communication to work in most situations (i.e. for protocols that are supported by standard connection tracking mechanisms).

But two things are not possible, in IPv4:

  • Initiating a direct network connection from the outside internet to the inside of Grid'5000 (by direct connection we mean not through VPN or ssh tunnel). It is impossible to allow such connections since Grid'5000 hosts do not have a public routable IPv4 address.
  • having connections initiated inside Grid'5000 to the outside internet, on protocols which are not supported by standard connection tracking mechanisms ("standard connection tracking mechanisms" is deliberately vague, it depends on the specific firewall version which may change).

In IPv6, all Grid'5000 hosts have a public, globally routable IPv6 address, and there is a Reconfigurable Firewall service which allows users to request firewall openings for specific IPv6 addresses, allowing connections initialed in the outside internet to target specific IPv6 addresses inside Grid'5000. This page discusses the usage of this Reconfigurable Firewall service.

Functionnalities

The Reconfigurable Firewall (aka Dynamic Firewall) service is called g5kfw. It provides a REST API allowing:

  • To request firewall openings associated with an OAR job. The request is checked to ensure that the requested openings only targets IPv6 addresses of nodes which belong exclusively to the OAR job (It is not possible to request an opening to a shared resource, ie. you need to reserve a full host with all its cpu cores to be allowed to open the firewall)
  • There can be several openings associated with an OAR job.
  • At the end of the OAR job, all openings are removed.
  • An opening is:
    • A list of destination hostnames (which resolve to IPv6 addresses) or IPv6 addresses. These are the addresses of the hosts inside Grid'5000 for which a connection from the outside internet will be allowed,
    • The kind of protocols opened. There are two kinds of protocols:
      • "tcp+udp": will open only for TCP / UDP flows. In this case, the list of TCP/UDP ports or port ranges that are to be allowed are also needed. "tcp+udp" is the default.
      • "all": means open any protocol, meaning any IPv6 packet are allowed. In this case, there is no concept of ports.
    • Optional source hostnames (which resolve to IPv6 addresses) or IPv6 addresses (/128) or networks, to restrict the opening to specific sources outside Grid'5000. If none given, there is no restriction.
  • Additionally, for any destination for which an opening is requested, ICMPv6 is also automatically unfiltered.

Known limitations

Due to the way Grid'5000 linux based firewalls behave (interaction between nftable rules and connection tracking mechanisms), currently when firewall openings are removed (either because the user explicitely asks for removal or because the OAR job ends), existing connections will not be closed.

API details

The Grid'5000 API base URL is of the form https://api.grid5000.fr/<api_version>/, The reconfigurable Firewall API resource URLs are of the form https://api.grid5000.fr/<api_version>/sites/<site>firewall/<jobid> where <site> <jobid> where <site> <jobid> are the site and jobid of the OAR job for which one requests openings.

There are three operations than can be performed on these resource URLs:

  • POST: adds openings to the current openings for the OAR job. The openings are given in the POST body as a json payload, with the format:
[
  {
    "addr": "space separated list of hostnames or ipv6 host (/128) addresses" or array of,
    "port": (mandatory if proto=="tcp+udp", fobidden if proto=="all") integer, or "space separated list of ports or port ranges" or array of. A port range is in the form "port1..port2",
    "proto": (optional) protocols to open, can be "tcp+udp" (the default) or "all"
    "src_addr": (optional) same as addr, for source addresses. Also possible to pass IPv6 network addresses (/x with x < 128)
  },
]
  • DELETE: delete all openings for the OAR job.
  • GET: returns all openings for an OAR job.

The request is checked:

  • check that user making the request has permission on the job
  • for an opening add request, check that the requested destination addresses all belong to the job
  • for an opening add request, check that the job has started

If the request is accepted, a success code is returned, which can be 200 if all the firewalls could be immediately configured, or 202 if one or more of the firewalls could not yet be configured. If one of the firewall could not be immediately configured (maybe there is a network issue, or the firewall is rebooting...) the service will retry to apply the opening every X seconds (X currently being set to 60 seconds)

If the request is refused or fails for any reason, an error code is issued (4xx or 5xx), and the response body contains a message with an explanation of the error.

Example usage

Warning.png Warning

You can test this functionnality from anywhere outside Grid'5000, like a campus, your home, or any server / VM, provided that IPv6 connectivity to internet is enabled on the test host.

Connect to a Grid'5000 site and submit a job. Currently, the reconfigurable firewall is only available for members of group g5k-staff. Note that we ask for job type allow_classic_ssh because later on we will connect to the node from outside Grid'5000 with ssh:

USER@fSITE:~$ oarsub --project g5k-staff -l nodes=1,walltime=1:00:00 -t allow_classic_ssh -I
USER@NODE:~$ cat $OAR_JOB_ID

From now on, take note of the SITE, OAR_JOB_ID and NODE.

Activate IPv6 on the node:

USER@NODE:~$ sudo-g5k dhclient -6 br0

The request for opening the firewall can be issued from anywhere, but it's more convenient to issue it from a frontend as it will avoid having to authenticate. First we need to prepare the json of our request. In this request, we need to ask for the IPv6 address of the node, which is in the form CLUSTERNAME-NODENUMBER-ipv6.SITE.grid5000.fr, so you just need to add -ipv6 inside the node name NODE (for example, if NODE=sagittaire-12.lyon.grid5000.fr, then IPV6NODE=sagittaire-12-ipv6.lyon.grid5000.fr)

USER@fSITE:~$ cat <<EOF > ~/example-firewall-opening.json
[
    {
        "addr": "IPV6NODE",
        "port": 22
    }
]
EOF

Then we send the request to the dynamic firewall service:

USER@flyon:~$ curl -iu USER https://api.grid5000.fr/stable/sites/SITE/firewall/OAR_JOB_ID -d @/home/USER/example-firewall-opening.json

If everything is ok, the answer code should be 200 or 202, and the response body should be similar to the request, except that all DNS names are converted to IPv6, and the response format is more "rigid".

Then you can try sending pings to the node:

LOCALWORKSTATION:~$ ping -c 5 IPV6NODE

If on your workstation you have an ssh key which allows you to connect to Grid'5000 resources (it depends on your ssh setup), you should also be able to connect directly with ssh to the node:

LOCALWORKSTATION:~$ ssh USER@IPV6NODE
USER@NODE:~$ ...

Then, as soon as the OARJOB is finished, the firewall opening will be deleted.