This guide lists all required and recommended firewall rules, to ensure a proper working of the solution. The list will need to be adjusted based on specific customer requirements.
By default will the firewall will ACCEPT all incoming and outgoing traffic. There is no need to define any specific rules in this default configuration.
In case the default behavior of the firewall is expected to DROP all packages appropriate ACCEPT rules need to be configured first for INBOUND and/or OUTBOUND chains
All rules provided below are expected to have a target rule of ACCEPT.
NOTE: The list reflects the required rules for a local firewall configuration.
These general firewall rules must always be present to ensure proper functionality of the Nodegrid node
| Service | Source | Destination | Direction | Protocol | Port | Comments |
|---|---|---|---|---|---|---|
| loopback | INBOUND | IPv4 | ||||
| loopback | OUTBOUND | IPv4 | ||||
| loopback | INBOUND | IPv6 | ||||
| loopback | OUTBOUND | IPv6 |
| Service | Source | Destination | Direction | Protocol | Port | Comments |
|---|---|---|---|---|---|---|
| ICMP | CLIENTS | PROT | 1 | |||
| IPv6-ICMP | PROT | 58 | ||||
| HTTP | CLIENTS | INBOUND | TCP | 80 | Access to the WebUI, only required if unsecure access is needed | |
| HTTPS | CLIENTS | INBOUND | TCP | 443 | Access to the WebUI | |
HTTPS | Nodegrid | ZPE Cloud | OUTBOUND | TCP | 443 | ZPE Cloud Access |
| SSH | CLIENTS | INBOUND | TCP | 22 | Access to ssh |
| Service | Source | Destination | Direction | Protocol | Port | Comments |
|---|---|---|---|---|---|---|
| HTTPS | CLIENTS | INBOUND | TCP | 443 | Access to the WebUI | |
| SSH | CLIENTS | INBOUND | TCP | 22 | Access to ssh | |
| Cluster | INBOUND | TCP | 9966 | Nodegrid Cluster Port | ||
| Cluster | INBOUND | TCP | 9300 | Nodegrid Search Engine Port | ||
Nodegrid | 224.1.1.2 | UDP | 12345 | nodes discovery |
| Service | Source | Destination | Direction | Protocol | Port | Comments |
|---|---|---|---|---|---|---|
| DNS | SERVER | OUTBOUND | TCP/UDP | 53 | ||
| NTP | SERVER | OUTBOUND | UDP | 123 | ||
| SNMP | SERVER | INBOUND | UDP | 161 | SNMP | |
| SNMP | SERVER | OUTBOUND | UDP | 162 | SNMP TRAP | |
| SMTP | SERVER | OUTBOUND | TCP | 25 | Un-secured SMTP | |
| SMTP | SERVER | OUTBOUND | TCP | 587 | TLS secured SMTP | |
| SMTP | SERVER | OUTBOUND | TCP | 465 | SSL secured SMTP | |
| NFS | SERVER | OUTBOUND | TCP/UDP | 2049 | Data and Event Logging | |
| NFS | SERVER | OUTBOUND | TCP/UDP | 2049 | Data and Event Logging | |
| SYSLOG | SERVER | OUTBOUND | TCP | 514 | Data and Event Logging | |
| FTP | SERVER | OUTBOUND | TCP | 20 | Firmware upgrade and System Backup/Restore | |
| SFTP | SERVER | OUTBOUND | TCP | 22 | Firmware upgrade and System Backup/Restore | |
| TFTP | SERVER | OUTBOUND | UDP | 69 | Firmware upgrade and System Backup/Restore | |
| HTTP | SERVER | OUTBOUND | TCP | 80 | Firmware upgrade and System Backup/Restore | |
| HTTPS | SERVER | OUTBOUND | TCP | 443 | Firmware upgrade and System Backup/Restore | |
| SCP | SERVER | OUTBOUND | TCP | 22 | Firmware upgrade and System Backup/Restore | |
| DHCP/ZTP | SERVER | OUTBOUND | UDP | 67 | Make DHCP requests and ZTP deployments | |
| DHCP/ZTP | SERVER | INBOUND | UDP | 68 | Make DHCP requests and ZTP deployments | |
| PXE | SERVER | OUTBOUND | UDP | 4011 | ||
| DHCP SERVER | CLIENTS | INBOUND | UDP | 67 | Serving DHCP Requests | |
| DHCPSERVER | CLIENTS | OUTBOUND | UDP | 68 | Serving DHCP Requests | |
| LDAP | SERVER | OUTBOUND | TCP | 389 | ||
| LDAPS | SERVER | OUTBOUND | TCP | 636 | ||
| TACACS+ | SERVER | OUTBOUND | TCP | 49 | ||
| RADIUS | SERVER | OUTBOUND | TCP | 1812 | ||
| KERBEROS | SERVER | OUTBOUND | TCP | 88 | ||
| SSL VPN SERVER | CLIENTS | INBOUND | TCP or UDP | 1194 | ||
| SSL VPN CLIENT | SERVER | OUTBOUND | TCP or UDP | 1194 | ||
| IPSEC | CLIENTS | INBOUND/OUTBOUND | UDP | 500 | IPSec | |
| IPSEC | CLIENTS | INBOUND/OUTBOUND | UDP | 4500 | IPSec T-NAT | |
| IPSEC | CLIENTS | INBOUND/OUTBOUND | PROT | 50 | Encap Security Payload | |
| IPSEC | CLIENTS | INBOUND/OUTBOUND | PROT | 51 | Authentication Header |
| Service | Source | Destination | Direction | Protocol | Port | Comments |
|---|---|---|---|---|---|---|
| PDU_* | TCP | 80 | HTTP | |||
| PDU_* | TCP | 443 | HTTPS | |||
| PDU_* | TCP | 22 | SSH | |||
| Console_Server_* | TCP | 80 | HTTP | |||
| Console_Server_* | TCP | 443 | HTTPS | |||
| Console_Server_* | TCP | 22 | SSH | |||
| Device_Console | TCP | 80 | HTTP | |||
| Device_Console | TCP | 443 | HTTPS | |||
| Device_Console | TCP | 22 | SSH | |||
| KVM_DSR | TCP | 443 | HTTPS | |||
| KVM_DSR | TCP | 2068 | KVM Viewer | |||
| KVM_DSR | TCP | 8192 | KVM Viewer | |||
| KVM_MPU | TCP | 443 | WebUI | |||
| KVM_MPU | TCP | 2068 | KVM Viewer | |||
| KVM_MPU | TCP | 8192 | KVM Viewer | |||
| KVM_Raritan | TCP | 443 | HTTPS | |||
| iLO | TCP | 22 | SSH | |||
| iLO | TCP | 17990 | Remote Console Port | |||
| iLO | TCP | 80 | HTTP | |||
| iLO | TCP | 443 | HTTPS | |||
| iLO | TCP | 17988 | Virtual Media Port | |||
| IMM | TCP | 80 | HTTP | |||
| IMM | TCP | 443 | HTTPS | |||
| IMM | TCP | 22 | SSH | |||
| IMM | UDP | 623 | RMCP | |||
| DRAC | TCP | 22 | SSH | |||
| DRAC | TCP | 80 | HTTP | |||
| DRAC | TCP | 443 | HTTPS | |||
| DRAC | UDP | 623 | RMCP | |||
| DRAC | TCP | 5900 | Virtual Media | |||
| IPMI* | TCP | 22v SSH | ||||
| IPMI* | UDP | 623 | RMCP | |||
| iLOM | TCP | 22 | SSH | |||
| iLOM | UDP | 623 | RMCP | |||
| iLOM | TCP | 5120 | Remote System Console: CD | |||
| iLOM | TCP | 5121 | Remote System Console: Keyboard and Mouse | |||
| iLOM | TCP | 5122 | Oracle ILOM Remote System Console | |||
| iLOM | TCP | 5123 | Remote System Console: Diskette | |||
| iLOM | TCP | 5555 | Remote System Console: SSL | |||
| iLOM | TCP | 5556 | Remote System Console: Authentication | |||
| iLOM | TCP | 7578 | Remote System Console: Video | |||
| iLOM | TCP | 7579 | Remote System Console: Serial | |||
| VMWare Viewer | TCP | 901 | ||||
| VMWare Viewer | TCP | 902 | ||||
| VMWare Viewer | TCP | 903 | ||||
| KVM Viewer | TCP | 22 | QEMU via SSH | |||
| KVM Viewer | TCP | 16514 | QEMU via TLS |