[Freeipa-users] Closing off some ports for FreeIPA
Jeremy Utley
jeremy at ifuzioncorp.com
Fri Apr 1 20:11:07 UTC 2016
On Fri, Apr 1, 2016 at 2:57 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jeremy Utley wrote:
>
>> Hello all on the list.
>>
>> First off, if this is documented somewhere I'm not aware of, I apologize
>> for the noise. I've spent a couple of hours google searching google
>> without success, so pointers to any documentation I've missed would be
>> greatly appreciated!
>>
>> We're in the process of setting up a FreeIPA system within our
>> ultra-secure PCI zone. It's currently working well, and we are very
>> happy with it. However, we know that come our next audit, we're going
>> to get hit on a few things, so I would like to ask about blocking off
>> some additional ports (specifically 80, 389, 53). 53 I think will be
>> safe to block off, as all our clients actually use a dedicated caching
>> DNS system with unbound, which has been configured to forward all
>> queries for the zone "ipa.domain.com <http://ipa.domain.com>" to the
>> FreeIPA servers, so we should be able to block 53 from everywhere but
>> the unbound servers without breakage.
>>
>> However, port 80 and 389 I'm not so sure about. I know most things that
>> hit port 80 get redirected to 443, and 389 provides STARTTLS
>> functionality, but in theory, these ports can provide unencrypted
>> communications, and therefore our auditors will ask that they be closed
>> off. However, in my research so far, I have not been able to find out
>> what the ramifications would be to blocking these ports for the IPA
>> system itself (would it fall back to using SSL on 636? Would API calls
>> fail if port 80 is closed?).
>>
>> I also know that the ipa-client-install script will check to ensure
>> these ports are open - temporarily opening them for the client setup
>> will not be an issue, if we can close it back down after that. We do
>> not add systems within this zone very often, so this is a minor issue.
>>
>> Thanks for any advice you can give!
>>
>> Jeremy
>>
>>
>>
> See this thread from earlier this week,
> https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html
>
> rob
>
Thank you, Rob! I think that will answer my questions, and hopefully the
auditors!
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160401/d78749c1/attachment.htm>
More information about the Freeipa-users
mailing list