The function of the firewall is to :

• Provide an additional line of containment, should the virtual machine and host OS of experimental PCs be compromised.
• Protect communications between the control interface of the experimental PCs and the image or web servers from outside interference (e.g., ARP man-in-the-middle attacks)
• Prevent some forms of IP spoofing by performing ingress and egress filtering

The firewall is configured so that:

• The control interface of experimental PCs CANNOT initiate connections with computers outside. The firewall drops all TCP SYN packets, and all UDP packets, from experimental PCs. This doesn't prevent outside computers from establishing connections to experimental PCs, for ssh or vnc purposes. Note that compromised experimental PCs could still perform some forms of scanning, RST attacks or brute force DoS by bandwidth consumption.
• All UDP packets are dropped (VNC does not use UDP).
• All ICMP packets are dropped, except pings to the image server. Yes, it breaks the TCP/IP standards. Traceroute, as well as path MTU discovery will still work with the image server, so sftp should proceed well. We feel that ICMP presents more security risks than real advantages and is inadequate in this secure context; moreover path MTU discovery is just an optimization. Your routers should be powerful enough by now to handle packet fragmentation for the few pages served from the web server, if it is ever needed.
• Only TCP and ARP packets are allowed, subject to the following rules.
• ARP request packets that aren't broadcasts are dropped. Some machines that use directed ARP requests to freshen their cache will temporarily be unhappy, but they should revert to using a broadcast when they get no answer from the directed request.
• ARP request packets coming on the outside interface but with a query IP address belonging to outside networks are dropped.
• ARP request packets coming on the outside interface but with a source IP address belonging to the inside network are dropped.
• ARP request packets coming on the inside interface but with a query IP address belonging to the inside network are dropped.
• ARP request packets coming on the inside interface but with a source IP address belonging to the outside network are dropped.
• ARP response packets coming on the outside interface but with a response IP address belonging to the inside network are dropped.
• ARP response packets coming on the inside interface but with a response IP address belonging to outside networks are dropped.
• ARP request packets coming on the inside interface but with a source IP address belonging to the outside network are dropped.
• TCP packets coming on the outside interface but with a source IP address belonging to the inside network are dropped.
• TCP packets coming from the inside interface but with a source IP address belonging to the outside networks are dropped.

Revision History
09/19/05: Grammatical changes (Pascal Meunier) 09/19/05: Audited (Ed Cates) 09/16/05: First version