.. tvz1552007675065 .. _security-default-firewall-rules: ====================== Default Firewall Rules ====================== |prod| applies default firewall rules on the |OAM| network. The default rules are recommended for most applications. Traffic is permitted for the following protocols and ports to allow access for platform services. By default, all other traffic is blocked. You can view the configured firewall rules with the following command: .. code-block:: none ~(keystone_admin)]$ kubectl describe globalnetworkpolicy Name: controller-oam-if-gnp Namespace: Labels: Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":... API Version: crd.projectcalico.org/v1 Kind: GlobalNetworkPolicy Metadata: Creation Timestamp: 2019-08-08T20:18:34Z Generation: 1 Resource Version: 1395 Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp UID: b28b74fe-ba19-11e9-9176-ac1f6b0eef28 Spec: Apply On Forward: false Egress: Action: Allow Ip Version: 4 Protocol: TCP Action: Allow Ip Version: 4 Protocol: UDP Action: Allow Protocol: ICMP Ingress: Action: Allow Destination: Ports: 22 18002 4545 15491 6385 7777 6443 9001 9002 7480 9311 5000 8080 Ip Version: 4 Protocol: TCP Action: Allow Destination: Ports: 2222 2223 123 161 162 319 320 Ip Version: 4 Protocol: UDP Action: Allow Protocol: ICMP Order: 100 Selector: has(iftype) && iftype == 'oam' Types: Ingress Egress Events: Where: .. _security-default-firewall-rules-d488e47: .. table:: :widths: auto +------------------------+------------------------+------------------------+ | Protocol | Port | Service Name | +========================+========================+========================+ | tcp | 22 | ssh | +------------------------+------------------------+------------------------+ | tcp | 8080 | horizon \(http only\) | +------------------------+------------------------+------------------------+ | tcp | 8443 | horizon \(https only\) | +------------------------+------------------------+------------------------+ | tcp | 5000 | keystone-api | +------------------------+------------------------+------------------------+ | tcp | 6385 | stx-metal | | | | | | | | stx-config | +------------------------+------------------------+------------------------+ | tcp | 8119 | stx-distcloud | +------------------------+------------------------+------------------------+ | tcp | 18002 | stx-fault | +------------------------+------------------------+------------------------+ | tcp | 7777 | stx-ha | +------------------------+------------------------+------------------------+ | tcp | 4545 | stx-nfv | +------------------------+------------------------+------------------------+ | tcp | 6443 | Kubernetes api server | +------------------------+------------------------+------------------------+ | tcp | 9001 | Docker registry | +------------------------+------------------------+------------------------+ | tcp | 9002 | Registry token server | +------------------------+------------------------+------------------------+ | tcp | 15491 | stx-update | +------------------------+------------------------+------------------------+ | icmp | | icmp | +------------------------+------------------------+------------------------+ | udp | 123 | ntp | +------------------------+------------------------+------------------------+ | udp | 161 | snmp | +------------------------+------------------------+------------------------+ | udp | 2222 | service manager | +------------------------+------------------------+------------------------+ | udp | 2223 | service manager | +------------------------+------------------------+------------------------+ .. note:: Custom rules may be added for other requirements. For more information, see |sec-doc|: :ref:`Firewall Options `. .. note:: UDP ports 2222 and 2223 are used by the service manager for state synchronization and heart beating between the controllers. All messages are authenticated with a SHA512 HMAC. Only packets originating from the peer controller are permitted; all other packets are dropped.