f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
146 lines
6.0 KiB
ReStructuredText
146 lines
6.0 KiB
ReStructuredText
|
|
.. tvz1552007675065
|
|
.. _security-default-firewall-rules:
|
|
|
|
======================
|
|
Default Firewall Rules
|
|
======================
|
|
|
|
|prod| applies default firewall rules on the |OAM| network. The default rules
|
|
are recommended for most applications.
|
|
|
|
Traffic is permitted for the following protocols and ports to allow access
|
|
for platform services. By default, all other traffic is blocked.
|
|
|
|
You can view the configured firewall rules with the following command:
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)]$ kubectl describe globalnetworkpolicy
|
|
Name: controller-oam-if-gnp
|
|
Namespace:
|
|
Labels: <none>
|
|
Annotations: kubectl.kubernetes.io/last-applied-configuration:
|
|
{"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
|
|
API Version: crd.projectcalico.org/v1
|
|
Kind: GlobalNetworkPolicy
|
|
Metadata:
|
|
Creation Timestamp: 2019-08-08T20:18:34Z
|
|
Generation: 1
|
|
Resource Version: 1395
|
|
Self Link: /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
|
|
UID: b28b74fe-ba19-11e9-9176-ac1f6b0eef28
|
|
Spec:
|
|
Apply On Forward: false
|
|
Egress:
|
|
Action: Allow
|
|
Ip Version: 4
|
|
Protocol: TCP
|
|
Action: Allow
|
|
Ip Version: 4
|
|
Protocol: UDP
|
|
Action: Allow
|
|
Protocol: ICMP
|
|
Ingress:
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
22
|
|
18002
|
|
4545
|
|
15491
|
|
6385
|
|
7777
|
|
6443
|
|
9001
|
|
9002
|
|
7480
|
|
9311
|
|
5000
|
|
8080
|
|
Ip Version: 4
|
|
Protocol: TCP
|
|
Action: Allow
|
|
Destination:
|
|
Ports:
|
|
2222
|
|
2223
|
|
123
|
|
161
|
|
162
|
|
319
|
|
320
|
|
Ip Version: 4
|
|
Protocol: UDP
|
|
Action: Allow
|
|
Protocol: ICMP
|
|
Order: 100
|
|
Selector: has(iftype) && iftype == 'oam'
|
|
Types:
|
|
Ingress
|
|
Egress
|
|
Events: <none>
|
|
|
|
|
|
Where:
|
|
|
|
|
|
.. _security-default-firewall-rules-d488e47:
|
|
|
|
|
|
.. table::
|
|
:widths: auto
|
|
|
|
+------------------------+------------------------+------------------------+
|
|
| Protocol | Port | Service Name |
|
|
+========================+========================+========================+
|
|
| tcp | 22 | ssh |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8080 | horizon (http only) |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8443 | horizon (https only) |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 5000 | keystone-api |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 6385 | stx-metal |
|
|
| | | |
|
|
| | | stx-config |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 8119 | stx-distcloud |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 18002 | stx-fault |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 7777 | stx-ha |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 4545 | stx-nfv |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 6443 | Kubernetes api server |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 9001 | Docker registry |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 9002 | Registry token server |
|
|
+------------------------+------------------------+------------------------+
|
|
| tcp | 15491 | stx-update |
|
|
+------------------------+------------------------+------------------------+
|
|
| icmp | | icmp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 123 | ntp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 161 | snmp |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 2222 | service manager |
|
|
+------------------------+------------------------+------------------------+
|
|
| udp | 2223 | service manager |
|
|
+------------------------+------------------------+------------------------+
|
|
|
|
.. note::
|
|
Custom rules may be added for other requirements. For more information,
|
|
see |sec-doc|: :ref:`Firewall Options <security-firewall-options>`.
|
|
|
|
.. note::
|
|
UDP ports 2222 and 2223 are used by the service manager for state
|
|
synchronization and heart beating between the controllers. All messages are
|
|
authenticated with a SHA512 HMAC. Only packets originating from the peer
|
|
controller are permitted; all other packets are dropped.
|
|
|