World Community Grid - View Thread - How can I set a firewall for the World Community Grid only

World Community Grid Forums

Category: Support

Forum: BOINC Agent Support

Thread: How can I set a firewall for the World Community Grid only

Quick Go »

No member browsing this thread

Thread Status: Active
Total posts in this thread: 5

[ ]

Author

This topic has been viewed 1639 times and has 4 replies

Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline


How can I set a firewall for the World Community Grid only

I want to set a firewall that filter all IP addresses expect the BOINC related ones.

Which addresses should be taken into account in the IP table rules?

---------------------------------------------------------------------------------------

ANSWER

The IPs I accepted are

1) The World Community Grid IPs (198.20.8.246 and 198.20.8.241)

2) The BOINC IPs (174.125.95.103-74.125.95.147 and 209.85.225.99-209.85.225.147)

SCRIPT TO SET FIREWALL FOR WORLD COMMUNITY GRID ONLY (the script is available here
)


#!/bin/bash
echo -n "Iptables rules will be reset. Continue? (y/n) "
read a
if [ "a"=y ]
then
iptables -F
WORLD_COMMUNITY_GRID_IP[1]=198.20.8.246
WORLD_COMMUNITY_GRID_IP[2]=198.20.8.241

BOINC_IP_RANGE[1]="74.125.95.103-74.125.95.147"
BOINC_IP_RANGE[2]="209.85.225.99-209.85.225.147"


iptables -P INPUT DROP
iptables -P OUTPUT DROP

for i in "${WORLD_COMMUNITY_GRID_IP[@]}" 
do
       iptables -A INPUT -s $i -j ACCEPT
       iptables -A OUTPUT -d $i -j ACCEPT
done

    iptables -A INPUT -m iprange --src-range $i ACCEPT
for i in "${BOINC_IP_RANGE[@]}" 
do
    iptables -A INPUT -m iprange --src-range $i -j ACCEPT
    iptables -A OUTPUT -m iprange --src-range $i -j ACCEPT
done

echo "New iptables for running BOINC with only World Community Grid tasks
"

iptables -L INPUT -n -v --line-numbers
 iptables -L OUTPUT -n -v --line-numbers
fi
echo " "

echo -n "
Start firewall now? (y/n) "
read a
if [ $a=y ]
then
    service ufw start
fi

----------------------------------------
[Edit 4 times, last edit by Former Member at Oct 2, 2016 4:07:27 PM]

[Sep 27, 2016 10:50:49 AM]

SekeRob
Master Cruncher
Joined: Jan 7, 2013
Post Count: 2741
Status: Offline


Re: How can I set a firewall for the World Community Grid only

Think in help there's a firewall topic and an IP list

Edit: There's not only www. but also secure. grid. and download. maybe more prefixes (help appears not exactly fresh/complete), plus there's uploading to Harvard directly for the CEP2 project.

----------------------------------------
[Edit 1 times, last edit by SekeRob* at Sep 27, 2016 11:37:02 AM]

[Sep 27, 2016 11:27:12 AM]

SekeRob
Master Cruncher
Joined: Jan 7, 2013
Post Count: 2741
Status: Offline


Re: How can I set a firewall for the World Community Grid only

They all resolve to either 198.20.8.241 or .246

[Sep 27, 2016 11:43:05 AM]

Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline


Re: How can I set a firewall for the World Community Grid only

There is also the CDN which created problems for me several years ago as WCG recommended adding a range of IPs to our HTTPs proxy server. Our data security team refused to allow open ranges of IP addresses. Don't know what address(s) are being used with the new storage system they have put in place.

[Sep 27, 2016 1:05:53 PM]

SekeRob
Master Cruncher
Joined: Jan 7, 2013
Post Count: 2741
Status: Offline


Re: How can I set a firewall for the World Community Grid only

As I understand it, CDN was or is about to be phased out, don't recollect with what replaced but IIRC it was knreed who posted about it not so long ago, v.v. the perpetuated download and upload issues.

Found a post with a very long list of geographical locations with associated IP, think it was in the Beta forum, that could likely then have been deprecated.

[Sep 27, 2016 2:21:14 PM]

[ ]