Bug #3359

Documentation for iptables rules requirements

Added by Duncan Innes over 4 years ago. Updated 4 days ago.

Status:Closed
Priority:Normal
Assignee:Duncan Innes
Category:-
Target version:1.3.1
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:
Pull request:

Description

Whilst it might not be the most difficult thing to track down the firewall requirements for Foreman when installing on systems which require iptables lockdown, there doesn't seem to be any mention of the requirements in the documentation.

It would be helpful if there was advice on which ports/protocols are required for foreman deployments of different types. i.e. Foreman standalone, separate database, various types of smart-proxy etc.

Happy to help with writing this up - will be my first effort in Markdown though. Is there a definitive list of port requirements anywhere? Assistance on where this would fit in the documentation would also be a help.

History

#1 Updated by Dominic Cleal over 4 years ago

Thanks for the offer, that'd be much appreciated.

So the following ports are usually used:

  • HTTP (80/tcp), HTTPS (443/tcp) for access to Foreman
  • 8443/tcp for access to the proxy - should only be opened to the Foreman host if they're separate
  • 8140/tcp for the Puppet master
  • 67-68/udp for DHCP proxy servers
  • 69/udp for TFTP proxy servers (installed by default on the Foreman all-in-one)
  • 53/udp and 53/tcp for DNS proxy servers

I would suggest repurposing section 3.1 in the manual from "Supported Platforms" to System or Installation Requirements, move platforms to 3.1.1 and add network/firewall config into 3.1.2 or similar.

The source for the manual is on GitHub in the theforeman.org project. Here's section 3.1 specifically: https://github.com/theforeman/theforeman.org/blob/gh-pages/_includes/manuals/1.3/3.1_platforms.md. As you said, it's Markdown, but the formatting's easy.

The sections are managed and put together in this top level file:
https://github.com/theforeman/theforeman.org/blob/gh-pages/manuals/1.3/index.md

See the repo README file for how to bring up a test instance of the website locally too.

#2 Updated by Dominic Cleal over 4 years ago

I missed out databases, which would be 3306/tcp for MySQL and 5432/tcp for PostgreSQL.

#3 Updated by Duncan Innes over 4 years ago

Sounds the right way forward to me. I'll knock some text together and see what I come up with.

3.1 (System|Installation) Requirements

3.1.1 Platforms
3.1.2 Firewall Config

#4 Updated by Dominic Cleal over 4 years ago

  • Status changed from New to Closed
  • Assignee set to Duncan Innes
  • Target version set to 1.15.0
  • % Done changed from 0 to 100
  • Legacy Backlogs Release (now unused) set to 1

Also available in: Atom PDF