NET2 - Subnet Output Gateway Appliance

Reference Information › Appliance Catalog Reference Guide › System Catalog › Gateways › NET2 - Subnet Output Gateway Appliance

NET2 - Subnet Output Gateway Appliance

Latest version: 1.0.3-1


At a Glance
Catalog	System
Category	Gateways
User Volumes	no
Minimum Memory	96 MB
OS	Linux
Constraints	no
Questions/Comments	Ask Forum

Functional Overview

NET2 is an output gateway that provides outgoing access to a network outside of an application. NET2 accepts traffic from the application on its in terminal and forwards it through its out terminal to the outside network (e.g., the Internet).

NET2 has a firewall that allows only outgoing traffic (connections and datagrams); it drops incoming traffic that is not for an already established connection or related to a datagram request. NET2 can be configured to further limit the set of IP addresses reachable through it.

NET2 serves as a default network gateway and DNS server for the appliance(s) connected to its in terminal.

Note:Only gateway output terminals should be connected to NET2s in terminal.

NET2 is used for accessing services outside of an application whose host names are determined at runtime (e.g., mail server addresses obtained from MX DNS records or search engine bots that need to traverse the web).

Boundary

Resources

Resource	Minimum	Maximum	Default
CPU	0.05	4	0.05
Memory	96 MB	2 GB	96 MB
Bandwidth	1 Mbps	2000 Mbps	200 Mbps

Terminals

Name	Direction	Protocol	Description
in	in	any	Accepts all incoming traffic
out	out	any	Forwards all traffic to the outside network, such as the Internet
mon	out	cce	Output for performance and resource usage statistics

The out terminal is used for outbound traffic. This terminal is configured via the Interfaces tab of Application Configuration Editor.

The default interface is enabled. It is used for maintenance (incoming ssh connections).

User Volumes

None

Properties

Name	Type	Description
dns1	ip_addr	Defines the primary DNS server. It can remain blank if the remote host is specified by its IP address; must be specified otherwise. Default: blank.
dns2	ip_addr	Defines the backup DNS server, which is used if the primary DNS server does not respond. Default: ( empty )
allowed_hosts	string	List of hosts and/or subnets to be accessible through NET. Separate multiple entries with spaces or commas. For example: 192.168.1.2 192.168.1.0/24 192.168.2.0/255.255.255.0. Default: 0.0.0.0/0 (all allowed)
denied_hosts	string	List of hosts and/or subnets to which access will be denied. The format is identical to allowed_hosts. Default: ( empty ) (none denied)

Error Messages

The following messages may appear in either the appliance log file or the system log of the grid controller when the appliance fails to start:

iptables failed to start
named service failed to start
Failed to set up rules (exit code code); using backup rule set
Failed to set up backup rule set (exit code code)

Typical Usage

The following diagram shows a typical usage of NET2 for a simple mail server application that accesses the Internet for mail forwarding using NET2:

Summary of Parts

in2 - input gateway appliance, class IN2
mailman - SMTP server appliance, class MTA
net2 - output gateway appliance, class NET2

in2 passes inbound connections to the mailman server. mailman serves the mail request and sends outbound mail through net2 gateway. The mail is sent in two steps for each message: first, sending a DNS request for the target mail server and then sending the message to that server . The net2 gateway forwards the DNS request from the mailman server to the specified DNS server and makes the connection to the target mail server.

The following sections describe the configuration of NET2 in several typical use cases:

Unrestricted access to standard domains

In this mode, NET2 is configured in a way very similar to a regular network gateway (e.g., for connecting a LAN to the Internet via ISP).

Example:

A valid IP address has to be configured for out teminal from the pool of available IP addresses provided by the Grid Controller. Netmask and Gateway for the out terminal will be taken automatically from the Grid Controller.

Property Name	Value	Description
dns1	192.168.1.2	Primary DNS server
dns2	192.168.1.2	Backup DNS server

Note:Many companies have internal domains that can be resolved only through their private DNS servers (e.g., .local or .localdomain). To use such domains, configure the dns1 and dns2 properties to point to those private DNS servers. Also see the possible hosts restrictions feature below.

Unrestricted access to standard domains using the root DNS servers.

In this mode, NET2 does not need specific DNS servers and uses a set of preconfigured Internet root servers.

Example:

In this mode, NET2 needs access to the root DNS servers (otherwise NET2 will fail all DNS queries).

Unrestricted access to standard domains using the root DNS servers.

In this mode, NET2 does not need specific DNS servers and uses a set of preconfigured Internet root servers.

Example:

Important! In this mode, NET2 needs access to the root DNS servers (otherwise NET2 will fail all DNS queries).

Restricted access to private domains

In this mode, NET2 is restricted to accessing only specified networks, allowing and denying specific hosts and subnetworks.

Example:

Property Name	Value	Description
dns1	192.168.1.2	Primary DNS server
dns2	192.168.1.2	Backup DNS server
allowed_hosts	192.168.1.0/24 192.168.2.0/24	Allowed subnet
denied_hosts	192.168.1.0/24 192.168.2.0/24	IP addresses will not be reachable

Note: In this mode, the DNS servers must be within the set of allowed hosts.

Notes

In general, the only type of output terminal that should be connected to NET2 in terminal is a gateway output. These outputs differ from regular outputs by acting as "default gateways" for their appliances, allowing connections to multiple hosts (as opposed to the single-host access provided by regular outputs). Gateway outputs are shown visually with a blue square in the terminal shape, while regular outputs are shown with red arrows; see the usage example above.

For more information on the output terminal types, refer to the ADL Language Reference Guide .

Connecting a regular output to the NET2 gateway will provide only DNS resolutions. This is a valid use of the NET2 gateway (essentially as a DNS resolution service).
If a host is present, directly or as part of a subnet, both in the allowed_hosts and in the denied_hosts lists, NET2 will deny access to that host. NET2 first rejects all denied hosts and then allows only those in allowed hosts (standard security practice).
If your application doesn't need access to a whole network but to a particular host (e.g., ftp.CA.com), it is better to use the OUT2 gateway appliance.
NET2 is not used for providing incoming requests to an application. Incoming request can be handled using the IN2 gateway appliance.

Open source and 3rd party software used inside the appliance

NET2 uses the following third party and open source packages in addition to those used by its base class LUX6 .

Software	Version	Modified	License	Notes
bind	9.8.2-0.10.rc1.el6_3.2	No	ISC	downloads page
bind-libs	9.8.2-0.10.rc1.el6_3.2	No	ISC	downloads page
iptables	1.4.7-5.1.el6_2	No	GPLv2	homepage
audit-libs	2.2-2	No	GPLv2	--
audit-libs-python	2.2-2	No	GPLv2	--
dbus	1.2.24-5.el6_1	No	AFLv2.1	--
dbus-libs	1.2.24-5.el6_1	No	GPLv2	--
libselinux-python	2.0.94-5.3	No	Public domain	--
libselinux-python	2.0.94-5.3	No	Public domain	--
libselinux-utils	2.0.94-5.3	No	Public domain
libsemanage	2.0.43-4.1	No	GPLv2	--
libsepol	2.0.41-4	No	LGPLv2.1	--
policycoreutils	2.0.83-19.24	No	GPLv2	--