1 |
> |
2 |
> There would also have to be an ACL (Access Control List) such |
3 |
> that I could regulate who gets access to these boards. |
4 |
> I could use some suggestions on iptables rules for this |
5 |
> (embedded) DMZ. I have spoken to several folks in the past that |
6 |
> have tried this, and maintaining security is always a challenge. |
7 |
> So a limited ACL in the beginning until the security mechanisms |
8 |
> mature, is a prudent step. |
9 |
|
10 |
Hi, |
11 |
|
12 |
here comes my experience with a similar configuration (not developers |
13 |
but students with root-privileges, even worse :)) |
14 |
|
15 |
a stepping-stone host with ssh-logins for outside devs. this is the only |
16 |
system, that accepts connections from outside, the firewall blocks any |
17 |
attempt to connect to any embedded system directly. we even have our |
18 |
devices in a network with private ip-addresses, with no routing at all |
19 |
to or from the internet, the steppingstone has 2 nics, one with a public |
20 |
IP for ssh-login, and one with the private ip. it does NOT do any |
21 |
routing or NAT. the private IP-config will probably not work for you, |
22 |
because: |
23 |
|
24 |
the dev systems probably need outgoing http/ftp/rsync if not more. block |
25 |
smtp at all costs. if you need mail for debugging the embedded systems, |
26 |
configure your stepping-stone so that it accepts mails for your |
27 |
dns-zone, and delivers it locally, but do not forward any mail from the |
28 |
dev-dmz. if you only want to support one system (say gentoo) you might |
29 |
get along with a local gentoo-mirror, but development is really |
30 |
cumbersome if people don't have http/ftp access do download some patches |
31 |
or whatever. people will start to build ssh-portforwards if you are too |
32 |
restrictive and that kills any firewall. |
33 |
|
34 |
you need ip-switchable powersupply for all dev-systems, these things |
35 |
will crash and the users need a way to reboot them remotly. |
36 |
(afair ~300 Euro per 8 devices) |
37 |
see that you get some with snmp support, then you can write a small tool |
38 |
that checks against the acl before it reboots the device. |
39 |
|
40 |
you need a serial connection to each dev-system. we use terminal-servers |
41 |
for that purpose. make sure you can break a serial login, users will |
42 |
forget to log out and block the serial port forever. again, see for snmp |
43 |
support for that purpose. |
44 |
(terminal-servers are really expensive, about 150 Euro per port, but you |
45 |
can use a pc with lots of ports, and use a serial-to-network daemon) |
46 |
|
47 |
if multiple devs should be able to share a device, you need some kind of |
48 |
a reservation system. We started with a wiki, where everyone entered the |
49 |
devices that he wants to book in a table. that worked amazingly well. |
50 |
now we have switched to a sql-db, with allows us to restrict the logins |
51 |
on the devices to that devices, that the user has actually reserved. the |
52 |
most important thing is that never 2 independant users access the device |
53 |
at the same time if they want to do things like system configuration |
54 |
things... |
55 |
|
56 |
we provide our users with a tftp-server, that has a writeable directory |
57 |
for each stepping-stone-user. it is planned to allow the users to |
58 |
specify a config-snippet for the dhcpd (again, only for such system that |
59 |
the user has reserved in the db), when this is done there will be |
60 |
everything a user needs to boot any arbitary system on the device (if |
61 |
the device is netboot-enabled) |
62 |
|
63 |
hope that gives you some ideas, |
64 |
harald |
65 |
-- |
66 |
gentoo-embedded@g.o mailing list |