Firewall Rules for the Nodegrid Platform

Firewall Rules for the Nodegrid Platform

Version 0.2 (17 May 2018)

Overview

This guide lists all required and recommended firewall rules, to ensure a proper working of the solution. The list will need to be adjusted based on specific customer requirements.

By default will the firewall will ACCEPT all incoming and outgoing traffic. There is no need to define any specific rules in this default configuration. In case the default behavior of the firewall is expected to DROP all packages appropriate ACCEPT rules need to be configured first for INBOUND and/or OUTBOUND chains

All rules provided below are expected to have a target rule of ACCEPT.

NOTE: The list reflects the required rules for a local firewall configuration.



Firewall Rules

General Rules

These general firewall rules must always be present to ensure proper functionality of the Nodegrid node

Service
Source
Destination
Direction
Protocol
Port
Comments

loopback

INBOUND


IPv4

loopback

OUTBOUND


IPv4

loopback

INBOUND


IPv6

loopback

OUTBOUND


IPv6

Client Rules

Service
Source
Destination
Direction
Protocol
Port
Comments
ICMP
CLIENTS


PROT
1

IPv6-ICMP



PROT
58

HTTP
CLIENTS

INBOUND
TCP
80
Access to the WebUI, only required if unsecure access is needed
HTTPS
CLIENTS

INBOUND
TCP
443
Access to the WebUI
HTTPS
Nodegrid
ZPE Cloud
OUTBOUND
TCP
443
ZPE Cloud Access
SSH
CLIENTS

INBOUND
TCP
22
Access to ssh

Nodegrid to Nodegrid Rules

Service
Source
Destination
Direction
Protocol
Port
Comments
HTTPS
CLIENTS

INBOUND
TCP
443
Access to the WebUI
SSH
CLIENTS

INBOUND
TCP
22
Access to ssh
Cluster


INBOUND
TCP
9966
Nodegrid Cluster Port
Cluster


INBOUND
TCP
9300
Nodegrid Search Engine Port
Nodegrid

224.1.1.2

UDP
12345
nodes discovery

Feature Rules

Service
Source
Destination
Direction
Protocol
Port
Comments
DNS

SERVER
OUTBOUND
TCP/UDP
53

NTP

SERVER
OUTBOUND
UDP
123

SNMP
SERVER

INBOUND
UDP
161
SNMP
SNMP

SERVER
OUTBOUND
UDP
162
SNMP TRAP
SMTP

SERVER
OUTBOUND
TCP
25
Un-secured SMTP
SMTP

SERVER
OUTBOUND
TCP
587
TLS secured SMTP
SMTP

SERVER
OUTBOUND
TCP
465
SSL secured SMTP
NFS

SERVER
OUTBOUND
TCP/UDP
2049
Data and Event Logging
NFS

SERVER
OUTBOUND
TCP/UDP
2049
Data and Event Logging
SYSLOG

SERVER
OUTBOUND
TCP
514
Data and Event Logging
FTP

SERVER
OUTBOUND
TCP
20
Firmware upgrade and System Backup/Restore
SFTP

SERVER
OUTBOUND
TCP
22
Firmware upgrade and System Backup/Restore
TFTP

SERVER
OUTBOUND
UDP
69
Firmware upgrade and System Backup/Restore
HTTP

SERVER
OUTBOUND
TCP
80
Firmware upgrade and System Backup/Restore
HTTPS

SERVER
OUTBOUND
TCP
443
Firmware upgrade and System Backup/Restore
SCP

SERVER
OUTBOUND
TCP
22
Firmware upgrade and System Backup/Restore
DHCP/ZTP

SERVER
OUTBOUND
UDP
67
Make DHCP requests and ZTP deployments
DHCP/ZTP
SERVER

INBOUND
UDP
68
Make DHCP requests and ZTP deployments
PXE

SERVER
OUTBOUND
UDP
4011

DHCP SERVER
CLIENTS

INBOUND
UDP
67
Serving DHCP Requests
DHCPSERVER

CLIENTS
OUTBOUND
UDP
68
Serving DHCP Requests
LDAP

SERVER
OUTBOUND
TCP
389

LDAPS

SERVER
OUTBOUND
TCP
636

TACACS+

SERVER
OUTBOUND
TCP
49

RADIUS

SERVER
OUTBOUND
TCP
1812

KERBEROS

SERVER
OUTBOUND
TCP
88

SSL VPN SERVER
CLIENTS

INBOUND
TCP or UDP
1194

SSL VPN CLIENT

SERVER
OUTBOUND
TCP or UDP
1194

IPSEC
CLIENTS

INBOUND/OUTBOUND
UDP
500
IPSec
IPSEC
CLIENTS

INBOUND/OUTBOUND
UDP
4500
IPSec T-NAT
IPSEC
CLIENTS

INBOUND/OUTBOUND
PROT
50
Encap Security Payload
IPSEC
CLIENTS

INBOUND/OUTBOUND
PROT
51
Authentication Header

Target Device Rules

Service
Source
Destination
Direction
Protocol
Port
Comments
PDU_*



TCP
80
HTTP
PDU_*



TCP
443
HTTPS
PDU_*



TCP
22
SSH
Console_Server_*



TCP
80
HTTP
Console_Server_*



TCP
443
HTTPS
Console_Server_*



TCP
22
SSH
Device_Console



TCP
80
HTTP
Device_Console



TCP
443
HTTPS
Device_Console



TCP
22
SSH
KVM_DSR



TCP
443
HTTPS
KVM_DSR



TCP
2068
KVM Viewer
KVM_DSR



TCP
8192
KVM Viewer
KVM_MPU



TCP
443
WebUI
KVM_MPU



TCP
2068
KVM Viewer
KVM_MPU



TCP
8192
KVM Viewer
KVM_Raritan



TCP
443
HTTPS
iLO



TCP
22
SSH
iLO



TCP
17990
Remote Console Port
iLO



TCP
80
HTTP
iLO



TCP
443
HTTPS
iLO



TCP
17988
Virtual Media Port
IMM



TCP
80
HTTP
IMM



TCP
443
HTTPS
IMM



TCP
22
SSH
IMM



UDP
623
RMCP
DRAC



TCP
22
SSH
DRAC



TCP
80
HTTP
DRAC



TCP
443
HTTPS
DRAC



UDP
623
RMCP
DRAC



TCP
5900
Virtual Media
IPMI*



TCP
22v SSH
IPMI*



UDP
623
RMCP
iLOM



TCP
22
SSH
iLOM



UDP
623
RMCP
iLOM



TCP
5120
Remote System Console: CD
iLOM



TCP
5121
Remote System Console: Keyboard and Mouse
iLOM



TCP
5122
Oracle ILOM Remote System Console
iLOM



TCP
5123
Remote System Console: Diskette
iLOM



TCP
5555
Remote System Console: SSL
iLOM



TCP
5556
Remote System Console: Authentication
iLOM



TCP
7578
Remote System Console: Video
iLOM



TCP
7579
Remote System Console: Serial
VMWare Viewer



TCP
901

VMWare Viewer



TCP
902

VMWare Viewer



TCP
903

KVM Viewer



TCP
22
QEMU via SSH
KVM Viewer



TCP
16514
QEMU via TLS