 cd1f0e68ff
			
		
	
	cd1f0e68ff
	
	
	
		
			
			Patch 1: Worked on Bart and Mary's comments. Patch 2: Worked on Bart's comments. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: Ida78101e923dbce32a1c17ba45becb4b62f17c4d
		
			
				
	
	
		
			146 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			146 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| 
 | |
| .. tvz1552007675065
 | |
| .. _security-default-firewall-rules:
 | |
| 
 | |
| ======================
 | |
| Default Firewall Rules
 | |
| ======================
 | |
| 
 | |
| |prod| applies default firewall rules on the |OAM| network. The default rules
 | |
| are recommended for most applications.
 | |
| 
 | |
| Traffic is permitted for the following protocols and ports to allow access
 | |
| for platform services. By default, all other traffic is blocked.
 | |
| 
 | |
| You can view the configured firewall rules with the following command:
 | |
| 
 | |
| .. code-block:: none
 | |
| 
 | |
|     ~(keystone_admin)]$ kubectl describe globalnetworkpolicy
 | |
|     Name:         controller-oam-if-gnp
 | |
|     Namespace:
 | |
|     Labels:       <none>
 | |
|     Annotations:  kubectl.kubernetes.io/last-applied-configuration:
 | |
|                     {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
 | |
|     API Version:  crd.projectcalico.org/v1
 | |
|     Kind:         GlobalNetworkPolicy
 | |
|     Metadata:
 | |
|       Creation Timestamp:  2019-08-08T20:18:34Z
 | |
|       Generation:          1
 | |
|       Resource Version:    1395
 | |
|       Self Link:           /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
 | |
|       UID:                 b28b74fe-ba19-11e9-9176-ac1f6b0eef28
 | |
|     Spec:
 | |
|       Apply On Forward:  false
 | |
|       Egress:
 | |
|         Action:      Allow
 | |
|         Ip Version:  4
 | |
|         Protocol:    TCP
 | |
|         Action:      Allow
 | |
|         Ip Version:  4
 | |
|         Protocol:    UDP
 | |
|         Action:      Allow
 | |
|         Protocol:    ICMP
 | |
|       Ingress:
 | |
|         Action:  Allow
 | |
|         Destination:
 | |
|           Ports:
 | |
|             22
 | |
|             18002
 | |
|             4545
 | |
|             15491
 | |
|             6385
 | |
|             7777
 | |
|             6443
 | |
|             9001
 | |
|             9002
 | |
|             7480
 | |
|             9311
 | |
|             5000
 | |
|             8080
 | |
|         Ip Version:  4
 | |
|         Protocol:    TCP
 | |
|         Action:      Allow
 | |
|         Destination:
 | |
|           Ports:
 | |
|             2222
 | |
|             2223
 | |
|             123
 | |
|             161
 | |
|             162
 | |
|             319
 | |
|             320
 | |
|         Ip Version:  4
 | |
|         Protocol:    UDP
 | |
|         Action:      Allow
 | |
|         Protocol:    ICMP
 | |
|       Order:         100
 | |
|       Selector:      has(iftype) && iftype == 'oam'
 | |
|       Types:
 | |
|         Ingress
 | |
|         Egress
 | |
|     Events:  <none>
 | |
| 
 | |
| 
 | |
| Where:
 | |
| 
 | |
| 
 | |
| .. _security-default-firewall-rules-d488e47:
 | |
| 
 | |
| 
 | |
| .. table::
 | |
|     :widths: auto
 | |
| 
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | Protocol               | Port                   | Service Name           |
 | |
|     +========================+========================+========================+
 | |
|     | tcp                    | 22                     | ssh                    |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 8080                   | horizon \(http only\)  |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 8443                   | horizon \(https only\) |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 5000                   | keystone-api           |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 6385                   | stx-metal              |
 | |
|     |                        |                        |                        |
 | |
|     |                        |                        | stx-config             |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 8119                   | stx-distcloud          |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 18002                  | stx-fault              |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 7777                   | stx-ha                 |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 4545                   | stx-nfv                |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 6443                   | Kubernetes api server  |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 9001                   | Docker registry        |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 9002                   | Registry token server  |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | tcp                    | 15491                  | stx-update             |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | icmp                   |                        | icmp                   |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | udp                    | 123                    | ntp                    |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | udp                    | 161                    | snmp                   |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | udp                    | 2222                   | service manager        |
 | |
|     +------------------------+------------------------+------------------------+
 | |
|     | udp                    | 2223                   | service manager        |
 | |
|     +------------------------+------------------------+------------------------+
 | |
| 
 | |
| .. note::
 | |
|     Custom rules may be added for other requirements. For more information,
 | |
|     see |sec-doc|: :ref:`Firewall Options <security-firewall-options>`.
 | |
| 
 | |
| .. note::
 | |
|     UDP ports 2222 and 2223 are used by the service manager for state
 | |
|     synchronization and heart beating between the controllers. All messages are
 | |
|     authenticated with a SHA512 HMAC. Only packets originating from the peer
 | |
|     controller are permitted; all other packets are dropped.
 | |
| 
 |