Datacenter centralised access control system

Introduction The blackhole project is a solution to simplify routing and firewalls. It simplifies yet increases security and flexibility. It is meant for datacenters. It allows communication between any container or virtual machine wherever they are connected physically in the data center. All done with a central configuration (who can talk to who). It does so while making all routing and firewalling simple, restrictive and uniform across all servers and firewalls.
Target audience Having many servers (Hosts) running containers (vservers) and virtual machines distributed into several networks. The hosts are running Linux.
Routing requirements The basic routing requirements are simple: The blackhole components must reach every hosts in your networks on a single TCP port (usually 8000). Once met, any host may talk to any host in any networks (if allowed by the blackhole). All connections are established from the blackhole. Containers and VMs only establish connections to their local horizon service (they never reach out of their host).
  • Install the horizon service on every host
  • Configure the horizon so it listens to several local IPs (IPs installed on the loopback) and TCP ports
  • All horizons may share the same configuration
  • Install one or more blackhole service on central hosts
  • Tell the blackholes to connect to all horizons
  • Define connect rules in the blackhole (all blackholes are sharing the same configuration)
Usage The following drawings show the various components. Arrows presents all possible TCP connections including the direction of the connections.

Typical usage

Simple internet access

Transparent proxying

A larger network

Here is complete introduction to the project: principle.pdf.

More details about its operation mode: operations.pdf.


Packages for Centos 6.5 64 bits may be found here (compiled by me). You need linuxconf-lib, blackhole, blachole-horizon and blackhole-conproxy. blackhole-wormhole is optional.

Source is available using subversion here.