AppLogic 2.7/2.8 Documentation The latest production release is AppLogic 2.8.9
NET2 - Subnet Output Gateway Appliance
Latest version: 1.0.5-1
 | At a Glance |
|---|
| Catalog | System |
| Category | Beta |
| User volumes | no |
| Min. memory | 64 MB |
| OS | Linux |
| Constraints | no |
| Questions/Comments | Ask Forum |
Functional overview
NET2 is not available in AppLogic 2.8+. Please use NET instead.
NET2 is an output gateway that provides outgoing access to a network outside of an application. NET2 accepts traffic from the application on its in terminal and forwards it through its external interface to the outside network (e.g., the Internet).
NET2 has a firewall that allows only outgoing traffic (connections and datagrams); it drops incoming traffic that is not for an already established connection or related to a datagram request. NET2 can be configured to further limit the set of IP addresses reachable through it.
NET2 serves as a default network gateway and DNS server for the appliance(s) connected to its in terminal.
Only gateway output terminals should be connected to NET2's in terminal.
NET2 is used for accessing services outside of an application whose host names are determined at runtime (e.g., mail server addresses obtained from MX DNS records or search engine bots that need to traverse the web).
If the log terminal is connected then NET2 logs via the log terminal to a remote syslog server.
NET2 is implemented using BusyBox to provide a small and efficient environment tailored to support its functionality. It boots from a read-only volume and uses a 2MB ramdisk to store files which change during boot or run time.
Please note: the log terminal is not used for storing logs on a mounted cifs file system, but rather for sending logging messages to a remote syslog server. In the future other AppLogic appliances will be updated to log via their log terminals to a remote syslog server.
Boundary
Resources
Terminals
| Name | Dir | Protocol | Description |
|---|
in | in | any | Accepts all incoming traffic |
log | out | syslog | Sends logging messages using the syslog protocol. This terminal may be left unconnected if it is not used.
Please note: the log terminal is not used for storing logs on a mounted cifs file system, but rather for sending logging messages to a remote syslog server. |
mon | out | cce | Output for performance and resource usage statistics |
The external interface is enabled. It is used for outgoing traffic. Its network settings are configured through properties.
The default interface is enabled. It is used for maintenance (incoming ssh connections).
Boot volume
NET2 appliance is based on a custom Linux distribution with a read-only boot volume and inherits its file system layout.
Almost all files reside on the boot volume. Files or folders that need to be modified either reside on a RAM drive or are symbolic links to the RAM drive.
Any changes applied to an instance of the NET2 appliance will be lost after appliance stop or restart.
User Volumes
None
Properties
| Property name | Type | Description |
|---|
ip_addr | IP Address | IP address of the external interface. This property is mandatory. |
netmask | IP Address | Network mask for the network on which ip_addr resides. This property is mandatory. |
gateway | IP Address | IP network gateway (router) used for all outgoing traffic to the external network via ip_addr. If left empty, only hosts on the same subnet as ip_addr/netmask are accessible. Default: empty. |
dns1 | IP Address | IP address of the primary DNS server used for host name resolution. If left empty, NET2 uses the root DNS servers. Default: empty. |
dns2 | IP Address | IP address of the backup DNS server used for host name resolution. If left empty, NET2 does not use a backup DNS server. Default: empty. |
allowed_hosts | String | List of hosts and/or subnets to be accessible through NET2. Separate multiple entries with spaces or commas. Supported format example: 192.168.1.2 192.168.1.0/24 192.168.2.0/255.255.255.0. Default: 0.0.0.0/0 (all allowed) |
denied_hosts | String | List of hosts and/or subnets to which access is denied. The format is the same as for allowed_hosts. Default: empty (none denied) |
Error Messages
The following messages may appear in either the appliance log file or the system log of the grid controller when the appliance fails to start:
- iptables failed to start
- named service failed to start
- Failed to set up rules (exit code code); using backup rule set
- Failed to set up backup rule set (exit code code)
Typical Usage
The following diagram shows a typical usage of NET2 for a simple mail server application that accesses the Internet for mail forwarding using NET2:
Summary of Parts
-
in - input gateway appliance, class IN
-
web - SMTP server appliance, class WEB5
-
net - output gateway appliance, class NET2
in passes client web requests arriving from outside the application to the web server. web serves static content by itself; for dynamic content, scripts that run in web access some external web sites through the net gateway. The request to external web sites are sent in two steps: first, sending a DNS request for the target server and then sending the request to that server . The net gateway forwards the DNS request from the web server to the specified DNS server and makes the connection to the target server.
The following sections describe the configuration of net in several typical use cases:
Unrestricted access to standard domains
In this mode, NET2 is configured in a way very similar to a regular network gateway (e.g., for connecting a LAN to the Internet via ISP).
Example:
| Property name | Value | Description |
|---|
ip_addr | 192.168.1.12 | IP address of the external interface. |
netmask | 255.255.255.0 | Network mask for the external interface. |
gateway | 192.168.1.1 | Gateway for the external interface. |
dns1 | 192.168.1.2 | Primary DNS server. |
dns2 | 192.168.2.1 | Backup DNS server. |
Many companies have internal domains that can be resolved only through their private DNS servers (e.g., .local or .localdomain). To use such domains, configure the dns1 and dns2 properties to point to those private DNS servers. Also see the possible hosts restrictions feature below.
Unrestricted access to standard domains using the root DNS servers.
In this mode, NET2 does not need specific DNS servers and uses a set of preconfigured Internet root servers.
Example:
| Property name | Value | Description |
|---|
ip_addr | 192.168.1.12 | IP address of the external interface. |
netmask | 255.255.255.0 | Network mask for the external interface. |
gateway | 192.168.1.1 | Gateway for the external interface. |
In this mode, NET2 needs access to the root DNS servers (otherwise NET2 will fail all DNS queries). The gateway property must be specified.
Restricted access to private domains
In this mode, NET2 is restricted to accessing only specified networks, allowing and denying specific hosts and subnetworks.
Example:
| Property name | Value | Description |
|---|
ip_addr | 192.168.1.12 | IP address of the external interface. |
netmask | 255.255.255.0 | Network mask for the external interface. |
gateway | 192.168.1.1 | Gateway for the external interface. |
dns1 | 192.168.1.2 | Primary DNS server. |
dns2 | 192.168.2.1 | Backup DNS server. |
allowed_hosts | 192.168.1.0/24 192.168.2.0/24 | Allowed subnets. |
denied_hosts | 192.168.1.4 192.168.2.4 | These IP addresses will not be reachable. |
In this mode, the DNS servers must be within the set of allowed hosts.
Notes
- In general, the only type of output terminal that should be connected to NET2's
in terminal is a gateway output. These outputs differ from regular outputs by acting as "default gateways" for their appliances, allowing connections to multiple hosts (as opposed to the single-host access provided by regular outputs). Gateway outputs are shown visually with a blue square in the terminal shape, while regular outputs are shown with red arrows; see the usage example above.
- Connecting a regular output to the NET2 gateway will provide only DNS resolutions. This is a valid use of the NET2 gateway (essentially as a DNS resolution service).
- If a host is present, directly or as part of a subnet, both in the
allowed_hosts and in the denied_hosts lists, NET2 will deny access to that host. NET2 first rejects all denied hosts and then allows only those in allowed hosts (standard security practice).
- If your application doesn't need access to a whole network but to a particular host (e.g., ftp.3tera.com), it is better to use the OUT2 gateway appliance.
- NET2 is not used for providing incoming requests to an application. Incoming request can be handled using the IN2 gateway appliance.
Open source and 3rd party software used inside of the appliance
NET2 use the following open source and 3rd party packages in addition to its base install of Busybox OS.
To see the full list of open source packages used in this appliance, please see its implementation design.
Related Documents
Questions and Comments
To post a question or comment on this appliance, visit our forum.
-- Main.AndriyMayevskyy - 27 Jul 2009
Copyright © 2005-2010 3tera, Inc. All Rights Reserved.
AppLogic27 Web