ORNL Firewall Configuration (SAFER)

In some cases, a customer may want to run a service on their VM Instance that should be available outside of ORNL's network (e.g., SSH, web server, GitLab service, Docker), which requires an exception in ORNL's firewall. The procedure below will show how to set up a firewall exception for a service running on your VM Instance.

If you have further questions about getting your ORNL (SAFER) firewall rules in place, e-mail the SAFER team directly at cybersoc@ornl.gov.

If you wish to run services on your VM Instance that should be available outside of ORNL's network, ensure that you select the External Network option when setting up your VM Instance and that you also add a rule to your Security Group for that particular service. Read more about the CADES Cloud network design here.

Prohibited Ports

Requests to allow external access to certain ports requires consideration. For those listed here, provide justification in the SAFER request. Unless justification is provided such requests may be denied.

Request a Firewall Exception

For the purposes of this procedure, we will set up an exception for a web server running on port 80.

  1. Navigate to https://safer.ornl.gov.
  2. Log in to the SAFER interface using your UCAMS credentials.
  3. Click + New Request at the top left of the screen.
  4. On the resulting page, choose ORNL SAFER Request.
  5. In the resulting request dialog, we need to fill out the following fields:
    • Subject – A simple subject will do. We're going with VM web server.
    • Authorization – Set to None.
    • Change Request Justification – Provide the reason for your firewall exception.
    • Expires – Leave this blank to make this exception indefinite. Otherwise, choose a date for the exception to expire.
    • Source – The source IP or IP range (with CIDR notation if range) of the server for which you would like to make an exception. We're going to use the single IP address of our VM Instance,
    • Destination – For this example, we're going to make the source and the destination the same IP address,
    • Service – This can be formatted using the protocol/port (e.g., TCP/80) or you can choose from a list of common multi-port services in the drop-down menu. We're using TCP/80.
    • Service Name – User-defined name of the rule. We're calling ours blackmesa_web.
  6. Once filled out, click Next to submit your request.

You will receive an e-mail confirmation of your request. You can also view the status of your exception request at any time by logging into the SAFER interface.

Related Tutorials