From f673a4bc909d77527788944052da7e2095500329 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 26 Jul 2013 22:35:08 +0200 Subject: [PATCH] Add initial fw info --- input/doc/firewall.mdwn | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 input/doc/firewall.mdwn diff --git a/input/doc/firewall.mdwn b/input/doc/firewall.mdwn new file mode 100644 index 0000000..67ea832 --- /dev/null +++ b/input/doc/firewall.mdwn @@ -0,0 +1,37 @@ +Third party firewalling debian.org hosts +======================================== + +In Debian we rely on sponsors for providing housing and hosting for all +of our infrastructure. As such, we have a lot of our gear spread out +all over the world across many different locations. + +To make our life easier our general preference is that our kind sponsors +give us unfiltered internet. That means no firewall, no blocking of any +ports or protocols, no blocking of ICMP, no protocol enforcement/cleanup +and no state tracking and killing sessions that appear to be idle. We +are fortunate that most places are able to provide this. + +We also acknowledge that sometimes local policies outside of our primary +hosting provider requires a less optimal setup (e.g. the Computer +Science department hosts our machine but central IT which controls the +University's border routers think ICMP is the devil's doing). + +In these cases we usually ask for the following setup: + * allow all outgoing traffic + * allow incoming ICMP + * allow incoming tcp/22 (ssh) + * allow all incoming from + ** bytemark: 5.153.231.0/24 + ** grnet: 194.177.211.192/27 + ** man-da: 82.195.75.64/26 + ** sil: 86.59.118.144/28 + ** ubcece: 206.12.19.5.0/24 + ** bytemark: + ** grnet: 2001:648:2ffc:deb::/64 + ** man-da: 2001:41b8:202:deb::/64 + ** sil: 2001:858:2:2::/64 + ** ubcece: 2607:f8f0:610:4000::/64 + +Extra ports might be required for specific services. + + -- 2.20.1