[Freeipa-users] Server Ports

Justin Brown justin.brown at fandingo.org
Thu Apr 3 05:55:10 UTC 2014 

I'm having some trouble determining which ports my servers need open
to communicate and what ports client servers and users will need. The
last documentation that I was able to find was included in Fedora 15
(http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html).
I opened those ports with firewalld, but I encountered errors when
joining my replica server. (I retried the replica install with
firewalld, and it succeeded, so it's clearly a problem with the
firewall settings.)

I'm joining the wave of the future, so please excuse the firewalld
XML, but it should be pretty obvsious. All of the services are built
into firewalld, except "dogtag", which I made myself and is defined at
the end.

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="http"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="https"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="dogtag"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="dns"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="kerberos"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="kpasswd"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ldap"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ldaps"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ntp"/>
    <accept/>
  </rule>

  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>

Services dns, kerberos, and kpasswd are TCP+UDP. Service ntp is UDP
only. The others are TCP only.

=========
services/dogtag.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <port protocol="tcp" port="9180"/>
  <port protocol="tcp" port="9443"/>
  <port protocol="tcp" port="9444"/>
  <port protocol="tcp" port="9445"/>
  <port protocol="tcp" port="9446"/>
  <port protocol="tcp" port="9701"/>
  <port protocol="tcp" port="7389"/>
</service>

=========

On a side note, it would be nice if the firewalld packagers included a
freeipa-server service (nudge nudge).

Thanks,
Justin

More information about the Freeipa-users mailing list