| 1 |
> |
| 2 |
> There would also have to be an ACL (Access Control List) such |
| 3 |
> that I could regulate who gets access to these boards. |
| 4 |
> I could use some suggestions on iptables rules for this |
| 5 |
> (embedded) DMZ. I have spoken to several folks in the past that |
| 6 |
> have tried this, and maintaining security is always a challenge. |
| 7 |
> So a limited ACL in the beginning until the security mechanisms |
| 8 |
> mature, is a prudent step. |
| 9 |
|
| 10 |
Hi, |
| 11 |
|
| 12 |
here comes my experience with a similar configuration (not developers |
| 13 |
but students with root-privileges, even worse :)) |
| 14 |
|
| 15 |
a stepping-stone host with ssh-logins for outside devs. this is the only |
| 16 |
system, that accepts connections from outside, the firewall blocks any |
| 17 |
attempt to connect to any embedded system directly. we even have our |
| 18 |
devices in a network with private ip-addresses, with no routing at all |
| 19 |
to or from the internet, the steppingstone has 2 nics, one with a public |
| 20 |
IP for ssh-login, and one with the private ip. it does NOT do any |
| 21 |
routing or NAT. the private IP-config will probably not work for you, |
| 22 |
because: |
| 23 |
|
| 24 |
the dev systems probably need outgoing http/ftp/rsync if not more. block |
| 25 |
smtp at all costs. if you need mail for debugging the embedded systems, |
| 26 |
configure your stepping-stone so that it accepts mails for your |
| 27 |
dns-zone, and delivers it locally, but do not forward any mail from the |
| 28 |
dev-dmz. if you only want to support one system (say gentoo) you might |
| 29 |
get along with a local gentoo-mirror, but development is really |
| 30 |
cumbersome if people don't have http/ftp access do download some patches |
| 31 |
or whatever. people will start to build ssh-portforwards if you are too |
| 32 |
restrictive and that kills any firewall. |
| 33 |
|
| 34 |
you need ip-switchable powersupply for all dev-systems, these things |
| 35 |
will crash and the users need a way to reboot them remotly. |
| 36 |
(afair ~300 Euro per 8 devices) |
| 37 |
see that you get some with snmp support, then you can write a small tool |
| 38 |
that checks against the acl before it reboots the device. |
| 39 |
|
| 40 |
you need a serial connection to each dev-system. we use terminal-servers |
| 41 |
for that purpose. make sure you can break a serial login, users will |
| 42 |
forget to log out and block the serial port forever. again, see for snmp |
| 43 |
support for that purpose. |
| 44 |
(terminal-servers are really expensive, about 150 Euro per port, but you |
| 45 |
can use a pc with lots of ports, and use a serial-to-network daemon) |
| 46 |
|
| 47 |
if multiple devs should be able to share a device, you need some kind of |
| 48 |
a reservation system. We started with a wiki, where everyone entered the |
| 49 |
devices that he wants to book in a table. that worked amazingly well. |
| 50 |
now we have switched to a sql-db, with allows us to restrict the logins |
| 51 |
on the devices to that devices, that the user has actually reserved. the |
| 52 |
most important thing is that never 2 independant users access the device |
| 53 |
at the same time if they want to do things like system configuration |
| 54 |
things... |
| 55 |
|
| 56 |
we provide our users with a tftp-server, that has a writeable directory |
| 57 |
for each stepping-stone-user. it is planned to allow the users to |
| 58 |
specify a config-snippet for the dhcpd (again, only for such system that |
| 59 |
the user has reserved in the db), when this is done there will be |
| 60 |
everything a user needs to boot any arbitary system on the device (if |
| 61 |
the device is netboot-enabled) |
| 62 |
|
| 63 |
hope that gives you some ideas, |
| 64 |
harald |
| 65 |
-- |
| 66 |
gentoo-embedded@g.o mailing list |
Archives