Bug 1016805

Summary: LIft port-based restrictions on outbound connections
Product: OpenShift Online Reporter: Andy Grimm <agrimm>
Component: ContainersAssignee: Jhon Honce <jhonce>
Status: CLOSED NOTABUG QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.xCC: derrick.karimi, ilnextbus, jgoulding, peter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-28 23:36:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andy Grimm 2013-10-08 17:45:31 UTC 
We routinely get questions in the OpenShift forums and on IRC about "permission denied" errors on attempts to connect to an external service from an OpenShift gear.  Port 8081 has come up multiple times, but others have been requested.  I have not seen a clear list of which ports we allow, or an explanation of what we are achieving by blocking ports.  For malicious users, working around this is trivial, while for legitimate users, it only causes confusion and frustration when they hit it.  Please consider lifting this restriction entirely, or switching to a publicly defined blacklist with some explanation for the blocked ports.
Comment 1 Jhon Honce 2013-10-28 23:36:42 UTC 
The  Red Hat security team feels unrestricted outbound connections is too  dangerous. The OpenShift Operations team has agreed with them.
Comment 2 Peter Zeltins 2013-11-01 15:28:58 UTC 
So how can I allow outgoing connection from Openshift app to external service on non-standard port for legitimate purposes?
Comment 3 ilnextbus 2013-12-15 19:58:26 UTC 
Hi,

+1 for Peter's question.

I really would like to understand what is the difference between outgoing port 8081 and 8082 ? 
Outgoing port 8082 is wide open but 8081 is closed, for example :

# telnet 81.218.41.96 8082
Trying 81.218.41.96...
Connected to 81.218.41.96.
Escape character is '^]'.
GET /index.html

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.0  Java/Oracle Corporation/1.7)
Server: GlassFish Server Open Source Edition  4.0 
Accept-Ranges: bytes

but telnet to the same ip on port 8081 :
# telnet 81.218.41.96 8081
Trying 81.218.41.96...
telnet: connect to address 81.218.41.96: Permission denied

Thanks.
Comment 4 Derrick Karimi 2014-03-01 04:40:51 UTC 
If you won't open outbound ports by default, please provide a way we can request outbound ports to be open.  I want telnet port 23 outbound open please.