AppLogic 2.7/2.8 Documentation The latest production release is AppLogic 2.8.9
IN2: Input Gateway Appliance
Latest version: 1.0.5-1
 | At a Glance |
|---|
| Catalog | System |
| Category | Beta |
| User volumes | no |
| Min. memory | 64 MB |
| OS | Linux |
| Constraints | no |
| Questions/Comments | Ask Forum |
Functional overview
IN2 is not available in AppLogic 2.8+. Please use IN instead.
IN2 is an input gateway that provides a firewalled entry point for network traffic into an application. External traffic passes through an IN2 gateway to access resources or services within an application.
IN2 accepts all allowed incoming traffic on its external interface and passes it through its out terminal. IN2 forwards only the traffic explicitly allowed through configuration of its firewall properties; all other traffic is discarded.
IN2 supports up to 4 incoming interfaces (protocol/pair combinations), such as http, ssh, etc. By default, IN2 allows only tcp port 80 (http).
If the log terminal is connected then IN2 logs via the log terminal to a remote syslog server.
IN2 is implemented using BusyBox to provide a small and efficient environment tailored to support its functionality. It boots from a read-only volume and uses a 2MB ramdisk to store files which change during boot or run time.
Please note: the log terminal is not used for storing logs on a mounted cifs file system, but rather for sending logging messages to a remote syslog server. In the future other AppLogic appliances will be updated to log via their log terminals to a remote syslog server.
Boundary
Resources
Terminals
| Name | Dir | Protocol | Description |
|---|
out | out | any | Sends all traffic out to the destination address and receives the responses. |
log | out | syslog | Sends logging messages using the syslog protocol. This terminal may be left unconnected if it is not used.
Please note: the log terminal is not used for storing logs on a mounted cifs file system, but rather for sending logging messages to a remote syslog server. |
mon | out | cce | Sends performance and resource usage statistics. |
The external interface is enabled. It is used for incoming traffic. The external interface is configured through the properties listed in the following sections.
The default interface is enabled. It is used for maintenance (incoming ssh connections).
Boot volume
IN2 appliance is based on custom Linux distribution with a read-only boot volume and inherits its file system layout. Almost all files reside on the boot volume. Files or folders that need to be modified either reside on the RAM drive or are symbolic links to the RAM drive.
Any changes applied to an instance of the IN2 appliance will be lost after appliance stop or restart.
User Volumes
None
Properties
Base Configuration
The following property group defines the base network settings for the gateway.
| Property name | Type | Description |
|---|
ip_addr | IP Address | IP address of the external interface. This property is mandatory. |
netmask | IP Address | Network mask for the network on which ip_addr resides. This property is mandatory. |
gateway | IP Address | IP network gateway (router) used for all outgoing traffic to the external network via ip_addr. Default: empty (not used). |
Firewall Configuration
The following property group defines the firewall settings for the gateway. There are two filters that can be used together: by source IP address (allowed_hosts and denied_hosts) and by protocol/port (ifaceX). Up to four protocol/port pairs (interfaces) can be configured.
If all parameters are left to their defaults, only tcp port 80 will be allowed.
| Property name | Type | Description |
|---|
allowed_hosts | String | List of hosts and/or subnets allowed to connect. Separate multiple entries with spaces or commas. Supported format example: 192.168.1.2 192.168.1.0/24 192.168.2.0/255.255.255.0. Default: 0.0.0.0/0 (all allowed) |
denied_hosts | String | List of hosts and/or subnets to be denied connection. The format is the same as for allowed_hosts. Default: empty (none denied) |
iface1_protocol | String | Protocol to allow. Options: none, tcp (default), udp |
iface1_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 80 (http) |
iface2_protocol | String | Protocol to allow. Options: none (default), tcp, udp |
iface2_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 0 (disabled) |
iface3_protocol | String | Protocol to allow. Options: none (default), tcp, udp |
iface3_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 0 (disabled) |
iface4_protocol | Integer | IP Protocol number to allow (e.g., 6 for TCP, 47 for GRE). See http://www.iana.org/assignments/protocol-numbers. Default: 0 (disabled) |
iface4_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Used only if the selected IP protocol has port numbers (e.g., udp and tcp); must be set to 0 for all other protocols. Setting this property to 0 for tcp or udp protocols will allow all ports. Default: 0 |
The iface4 filter can be configured to allow incoming protocols other than tcp and udp.
All 4 interfaces can be configured independently; there is no requirement to have interface 1 and 2 in order to have 3. In particular, iface4 can be configured even if iface3 is not.
The port number for iface4 has slightly different behavior from the other port numbers. Setting iface4_port to 0 means that the port number is not going to be checked (works both for protocols that simply don't have port numbers, like GRE, and for tcp and udp). Setting iface{1,2,3}_port disables the interface (equivalent to setting the protocol to none).
Error Messages
The following messages may appear in either the appliance log file or the system log of the grid controller when the appliance fails to start:
- Failed to start iptables
- Failed to set up rules (exit code code); using backup rule set
- Failed to set up backup rule set (exit code code)
Typical Usage
Simple Input Firewall
The following diagram shows a typical usage of IN2 for a simple web server application:
Summary of Parts
-
IN2 - input gateway
-
web - apache web server appliance
IN2 accepts HTTP requests on its external interface and passes them to web through its out terminal.
Example:
| Property name | Value | Notes |
|---|
ip_addr | 192.168.1.1 | IP address of the external interface |
netmask | 255.255.255.0 | Network mask for the external interface |
gateway | 192.168.1.254 | Gateway for the external interface |
iface1_protocol | tcp | Allow TCP traffic... |
iface1_port | 80 | ...only on port 80 (http) |
Advanced Firewall
In this example, the gateway is configured to allow the HTTP and HTTPS protocols, as well as the PPTP protocol (used by MS Windows VPN).
Example:
| Property name | Value | Notes |
|---|
ip_addr | 192.168.1.1 | IP address of the external interface |
netmask | 255.255.255.0 | Network mask for the external interface |
gateway | 192.168.1.254 | Gateway for the external interface |
iface1_protocol | tcp | Allow TCP traffic... |
iface1_port | 80 | ...on port 80 (http) |
iface2_protocol | tcp | Allow TCP traffic... |
iface2_port | 443 | ...on port 443 (https) |
iface3_protocol | tcp | Allow TCP traffic for the PPTP control connection... |
iface3_port | 1723 | ...on port 1723 (VPN) |
iface4_protocol | 47 | Allow GRE traffic for the PPTP encapsulation |
iface4_port | 0 | (not used) |
In this example, note the use of iface4 for the GRE protocol. It is OK to fill iface4 even if lower-numbered interfaces are not filled in.
Notes
- If a host matches, directly or as part of a subnet, both the
allowed_hosts and the denied_hosts lists, it will be denied access. IN2 first rejects all denied hosts and then allows only those in allowed hosts (standard security practice).
- IN2 can not be used for accessing external services by the application. Applications access external services (outgoing traffic) through OUT2 and NET2 gateways.
-
iface4_protocol has not been tested with protocols other than tcp and udp (due to lack of appliances supporting GRE or other non-tcp/udp protocol).
Open source and 3rd party software used inside of the appliance
IN2 use the following open source and 3rd party packages in addition to its base install of Busybox OS.
| Software | Version | Modified | License | Notes |
|---|
| busybox | 1.13.4 | No | GPLv2 | homepage |
| openssh | 5.2p1 | No | BSD | homepage |
| bash | 3.1-16.1 | No | GPLv2 | N/A |
| coreutils | 5.97-12.1.el5 | No | GPLv2 | N/A |
| curl | 7.15.5-2.1.el5_3.5 | No | MIT | N/A |
| dhclient | 3.0.5-7.el5 | No | ISC | N/A |
| e2fsprogs-libs | 1.39-8.el5 | No | GPLv2 | N/A |
| glibc | 2.5-12.2 | No | LGPLv2.1 | N/A |
| grep | 2.5.1-54.2.el5 | No | GPLv2 | N/A |
| initscripts | 8.45.14.EL-1.el5.centos.1 | No | GPLv2 | N/A |
| iproute | 2.6.18-4.el5 | No | GPLv2 | N/A |
| iptables | 1.3.5-1.2.1 | No | GPLv2 | N/A |
| iputils | 20020927-43.el5 | No | BSD | N/A |
| krb5-libs | 1.5-23 | No | MIT | N/A |
| libidn | 0.6.5-1.1 | No | GPLv2 | N/A |
| libtermcap | 2.0.8-46.1 | No | LGPLv2.0 | N/A |
| mingetty | 1.07-5.2.2 | No | GPLv2 | N/A |
| module-init-tools | 3.3-0.pre3.1.16.el5 | No | GPLv2 | N/A |
| openssl | 0.9.8b-8.3.el5 | No | BSD | N/A |
| pcre | 6.6-1.1 | No | BSD | N/A |
| perl | 5.8.8-10 | No | Artistic | N/A |
| procps | 3.2.7-8.1.el5 | No | GPLv2 | N/A |
| strace | 4.5.15-1.el5 | No | BSD | N/A |
| SysVinit? | 2.86-14 | No | GPLv2 | N/A |
| tcpdump | 3.9.4-11.el5 | No | BSD | N/A |
| wget | 1.10.2-7.el5 | No | GPLv2 | N/A |
| zlib | 1.2.3-3 | No | zlib | N/A |
To see the full list of open source packages used in this appliance, please see its implementation design.
Related Documents
Questions and Comments
To post a question or comment on this appliance, visit our forum.
-- AndriyMayevskyy - 27 Jul 2009
Copyright © 2005-2010 3tera, Inc. All Rights Reserved.
AppLogic27 Web