Firewall¶

Recommendations¶

Recommended firewall solution is to use firewalld. But firewalld configuration can be easily understood and translated to other solutions like nftables or iptables.

Configuring Firewalld for Onteon¶

Non-SSL communication¶

FirewallD on Onteon Control Center¶

• 7020 - available to ONMs

  firewall-cmd         \
     --permanent      \
     --zone=public    \
     --add-rich-rule="rule family=\"ipv4\" source address=\"ONM_IP\" port protocol=\"tcp\" port=\"7020\" accept"
  

• 7020 - available to Onteon CLI

  firewall-cmd         \
      --permanent      \
      --zone=public    \
      --add-rich-rule="rule family=\"ipv4\" source address=\"OCLI_IP\" port protocol=\"tcp\" port=\"7020\" accept"
  

SSL communication¶

FirewallD on Onteon Control Center¶

• 7019 - available to ONMs

  firewall-cmd         \
     --permanent      \
     --zone=public    \
     --add-rich-rule="rule family=\"ipv4\" source address=\"ONM_IP\" port protocol=\"tcp\" port=\"7019\" accept"
  

• 7019 - available to Onteon CLI

  firewall-cmd         \
      --permanent      \
      --zone=public    \
      --add-rich-rule="rule family=\"ipv4\" source address=\"OCLI_IP\" port protocol=\"tcp\" port=\"7019\" accept"
  

FirewallD on Onteon Node Manager¶

• 8020 - available to WWW or selected IP addresses

  firewall-cmd         \
      --permanent      \
      --zone=public    \
      --add-rich-rule="rule family=\"ipv4\" source address=\"PRIVATE_IP\" port protocol=\"tcp\" port=\"8020\" accept"
  

• 8030 - available to OCC

  firewall-cmd         \
      --permanent      \
      --zone=public    \
      --add-rich-rule="rule family=\"ipv4\" source address=\"OCC_IP\" port protocol=\"tcp\" port=\"8030\" accept"
  

• range 10000-20000 - available between ONMs

  firewall-cmd         \
      --permanent      \
      --zone=public    \
      --add-rich-rule="rule family=\"ipv4\" source address=\"OTHER_ONM\" port protocol=\"tcp\" port=\"10000-20000\" accept"