[Freeipa-users] Definitive firewall ruleset.
Rob Crittenden
rcritten at redhat.com
Thu Mar 3 14:13:20 UTC 2011
Steven Jones wrote:
> This is becoming a bit of a grind....
>
> Anyway, either I have not found it yet, or a definitive set of ports
> that need to be open isnt there, this is my best shot so far,
>
> Have I missed any or are there some not needed?
>
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:80
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:88
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:464
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:443
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:123
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:389
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:389
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:636
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:636
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:7389
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:7389
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:9180
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:9180
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:9444
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:9444
> ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp
> dpt:9445
> ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp
> dpt:9445
>
If you set up IPA as a DNS server you'll want to allow port 53.
You don't need udp for 9180, 9444 and 9445.
You probably don't need 9180, 9444 and 9445 open at all. You need 7389
open only if you are doing replication (and you might want to restrict
it to those hosts that it replicates to).
rob
More information about the Freeipa-users
mailing list