3c5fa979a4
Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
146 lines
6.0 KiB
ReStructuredText
146 lines
6.0 KiB
ReStructuredText
|
|
.. tvz1552007675065
|
|
.. _security-default-firewall-rules:
|
|
|
|
======================
|
|
Default Firewall Rules
|
|
======================
|
|
|
|
|prod| applies default firewall rules on the |OAM| network. The default rules
|
|
are recommended for most applications.
|
|
|
|
Traffic is permitted for the following protocols and ports to allow access
|
|
for platform services. By default, all other traffic is blocked.
|
|
|
|
You can view the configured firewall rules with the following command:
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)$ kubectl describe globalnetworkpolicy
|
|
Name: controller-oam-if-gnp
|
|
Namespace:
|
|
Labels: <none>
|
|
Annotations: kubectl.kubernetes.io/last-applied-configuration:
|
|
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
|
|
API Version: crd.projectcalico.org/v1
|
|
Kind: GlobalNetworkPolicy
|
|
Metadata:
|
|
Creation Timestamp: 2019-08-08T20:18:34Z
|
|
Generation: 1
|
|
Resource Version: 1395
|
|
Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
|
|
UID: b28b74fe-ba19-11e9-9176-ac1f6b0eef28
|
|
Spec:
|
|
Apply On Forward: false
|
|
Egress:
|
|
Action: Allow
|
|
Ip Version: 4
|
|
Protocol: TCP
|
|
Action: Allow
|
|
Ip Version: 4
|
|
Protocol: UDP
|
|
Action: Allow
|
|
Protocol: ICMP
|
|
Ingress:
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
22
|
|
18002
|
|
4545
|
|
15491
|
|
6385
|
|
7777
|
|
6443
|
|
9001
|
|
9002
|
|
7480
|
|
9311
|
|
5000
|
|
8080
|
|
Ip Version: 4
|
|
Protocol: TCP
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
2222
|
|
2223
|
|
123
|
|
161
|
|
162
|
|
319
|
|
320
|
|
Ip Version: 4
|
|
Protocol: UDP
|
|
Action: Allow
|
|
Protocol: ICMP
|
|
Order: 100
|
|
Selector: has(iftype) && iftype == 'oam'
|
|
Types:
|
|
Ingress
|
|
Egress
|
|
Events: <none>
|
|
|
|
|
|
Where:
|
|
|
|
|
|
.. _security-default-firewall-rules-d477e47:
|
|
|
|
|
|
.. table::
|
|
:widths: auto
|
|
|
|
+------------------------+------------------------+------------------------+
|
|
| Protocol | Port | Service Name |
|
|
+========================+========================+========================+
|
|
| tcp | 22 | ssh |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8080 | horizon \(http only\) |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8443 | horizon \(https only\) |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 5000 | keystone-api |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 6385 | stx-metal |
|
|
| | | |
|
|
| | | stx-config |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8119 | stx-distcloud |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 18002 | stx-fault |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 7777 | stx-ha |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 4545 | stx-nfv |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 6443 | Kubernetes api server |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 9001 | Docker registry |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 9002 | Registry token server |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 15491 | stx-update |
|
|
+------------------------+------------------------+------------------------+
|
|
| icmp | | icmp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 123 | ntp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 161 | snmp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 2222 | service manager |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 2223 | service manager |
|
|
+------------------------+------------------------+------------------------+
|
|
|
|
.. note::
|
|
Custom rules may be added for other requirements. For more information,
|
|
see |sec-doc|: :ref:`Firewall Options <security-firewall-options>`.
|
|
|
|
.. note::
|
|
UDP ports 2222 and 2223 are used by the service manager for state
|
|
synchronization and heart beating between the controllers/masters. All
|
|
messages are authenticated with a SHA512 HMAC. Only packets originating
|
|
from the peer controller are permitted; all other packets are dropped.
|
|
|