Index  | Recent Threads  | Unanswered Threads  | Who's Active  | Guidelines  | Search
 
World Community Grid Forums
  Category: Support
  Forum: BOINC Agent Support
  Thread: Firewall to restrict connections to those needed by BOINC and the WCG

Quick Go »
No member browsing this thread
Thread Status: Active
Total posts in this thread: 3
[ Jump to Last Post ]
Post new Thread
Author
Previous Thread This topic has been viewed 1604 times and has 2 replies Next Thread
Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline
Reply to this Post  Reply with Quote 
Firewall to restrict connections to those needed by BOINC and the WCG
It is important to feel in security when running BOINC, hence my idea to build a firewall to restrict connection to only those needed by the WCG.

Which IP addresses should be allowed?

My firewall is too restrictive yet. It is refusing all input and output connections exept:

1) accept 198.20.8.241 the IP linked to worldcommunity website
3) input and output tcp connections on port 31416 , the port used by BOINC

With this firewall I get the message: BOINC can't access Internet - check network connection or proxy configuration.

Which additional IP/ports should be added to the firewall list?

Thank you
----------------------------------------
[Edit 3 times, last edit by Former Member at Nov 4, 2016 1:04:31 PM]
[Nov 3, 2016 1:19:41 AM]   Link   Report threatening or abusive post: please login first  Go to top 
Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline
Reply to this Post  Reply with Quote 
Re: Firewall to restrict connection to those need by BOINC and the WCG
Hit Help very top-right of screen, then type FIREWALL into help search box, to find the ports answer in the first item.
[Nov 3, 2016 9:54:26 AM]   Link   Report threatening or abusive post: please login first  Go to top 
Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline
Reply to this Post  Reply with Quote 
Re: Firewall to restrict connections to those needed by BOINC and the WCG
Should I include any BOINC related addresses in the firewall?

This following firewall works, however

  • it does not include possible necessary BOINC IPs
  • The DNS rule may be restricted to certain DNS servers (google's DNS 8.8.8.8 and 8.8.4.4 for instance)

# set DROP default policy
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD  DROP

#Allow loopback interface
iptables -A INPUT -i lo  -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

#Allow DNS for DNS queries containing the word "worldcomunitygrid" 
iptables -A OUTPUT  -p udp --sport 53 -m string --algo bm --string worldcommunitygrid  -j ACCEPT
iptables -A INPUT  -p udp --dport 53  -m string --algo bm --string worldcommunitygrid  -j ACCEPT
iptables -A OUTPUT  -p udp --dport 53  -m string --algo bm --string worldcommunitygrid -j ACCEPT
iptables -A INPUT  -p udp --sport 53  -m string  --algo bm --string worldcommunitygrid -j ACCEPT

# allow WCG IPs 
for IP in  198.20.8.246 198.20.8.241
do
    for PORT in 443 80
        do
iptables -A INPUT -p tcp --dport $PORT -s $IP -j ACCEPT
iptables -A OUTPUT -p tcp --sport $PORT -d $IP -j ACCEPT
       done
done

The script can be found at https://github.com/boinc-scripts/firewall-worldcommunitygrid
----------------------------------------
[Edit 17 times, last edit by Former Member at Nov 4, 2016 2:00:11 PM]
[Nov 3, 2016 1:40:17 PM]   Link   Report threatening or abusive post: please login first  Go to top 
[ Jump to Last Post ]
Post new Thread