Linux firewall rules can be applied in two ways:

• For a group (class) of servers. (See the Server Farm Account Management page for more information about classes.)
• For an individual server.

Best Practice: Standardize Rules using Classes of Servers

When planning firewall rules for your servers, it's helpful to use classes (groups of servers). For example, placing a set of Dev/Test/Prod servers in one class means you can apply firewall rule changes to the entire class and keep all of the configurations for that group identical. 

Using classes for firewall rules can greatly reduce inconsistencies between environments, leading to fewer problems with deployment. See the Server Farm Account Management page for more information about classes.

To see a list of classes on a server and firewall rules applied to those classes, connect to the Centralized Unix Configuration Information System at https://unixcfg.serverfarm.cornell.edu/.

Request a Firewall Rule

Send an email to systems-support@cornell.edu. Include the following:

• Server information
  • If using classes, provide the class name.
  • If doing an individual server, provide the server name, and specific IPs, if the host is multi-homed.
• Remote IP address or range of addresses.
• Port number(s) which need to be opened.

Access Control Lists (ACLs) and Network Firewalls

It is possible that in addition to firewall rules on the server, network Access Control Lists (ACLs) or network Firewalls will need to be modified. The Systems Support group will adjust ACLs and Extra Tier firewall rules if required. 

For ACLs or Firewalls on the remote machines, coordinate with the people responsible on that end.