Firewall Configuration
======================

The typical firewall configuration of DataONE VMs uses `UFW`_ (Uncomplicated
Firewall) to manage *iptables* firewall configuration.

Minimal configuration of *ufw* should include the following::

  sudo ufw default deny
  sudo ufw allow ssh
  sudo ufw enable

which will allow SSH access to the machine and block everything else.

Suggested Member Node Firewall Configuration
--------------------------------------------

Member nodes provide services over HTTP, with HTTPS required for Tier2 and
higher Member Node implementations, and so require HTTP or HTTPS to be enabled
respectively in addition to the base configuration suggested above::

  sudo ufw allow http

or::

  sudo ufw allow https


Member Node operators may need to add additional rules to support other
services that may be operating on their installation.


Coordinating Node Firewall Configuration
----------------------------------------

Coordinating nodes should be configured to only allow HTTPS connections.
Additional ports for LDAP (port 389) and Hazelcast_ communications will need
to be open to specific targets (i.e. other Coordinating Nodes operating in the
same environment).

For example, the three CNs *cn-dev-unm-1.dataone.org*,
*cn-dev-ucsb-1.dataone.org*, and *cn-dev-orc-1.dataone.org* are all operating
in the same *development* environment, and so must communicate with each
other. The complete *ufw* configuration for a CN would be (IP-NODE-2,
IP-NODE-3 = ip-addresses of the other two coordinating nodes)::

  sudo ufw default deny
  sudo ufw allow ssh
  sudo ufw allow https
  sudo ufw allow from IP-NODE-2 to any port 389
  sudo ufw allow from IP-NODE-3 to any port 389
  sudo ufw allow from IP-NODE-2 to any port 5701
  sudo ufw allow from IP-NODE-2 to any port 5702
  sudo ufw allow from IP-NODE-3 to any port 5701
  sudo ufw allow from IP-NODE-3 to any port 5702
  sudo ufw enable


.. _UFW: https://help.ubuntu.com/community/UFW

.. _Hazelcast: http://www.hazelcast.com/