Red Hat Bugzilla – Bug 1016805
LIft port-based restrictions on outbound connections
Last modified: 2016-11-07 22:47:14 EST
We routinely get questions in the OpenShift forums and on IRC about "permission denied" errors on attempts to connect to an external service from an OpenShift gear. Port 8081 has come up multiple times, but others have been requested. I have not seen a clear list of which ports we allow, or an explanation of what we are achieving by blocking ports. For malicious users, working around this is trivial, while for legitimate users, it only causes confusion and frustration when they hit it. Please consider lifting this restriction entirely, or switching to a publicly defined blacklist with some explanation for the blocked ports.
The Red Hat security team feels unrestricted outbound connections is too dangerous. The OpenShift Operations team has agreed with them.
So how can I allow outgoing connection from Openshift app to external service on non-standard port for legitimate purposes?
+1 for Peter's question.
I really would like to understand what is the difference between outgoing port 8081 and 8082 ?
Outgoing port 8082 is wide open but 8081 is closed, for example :
# telnet 126.96.36.199 8082
Connected to 188.8.131.52.
Escape character is '^]'.
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.0 Java/Oracle Corporation/1.7)
Server: GlassFish Server Open Source Edition 4.0
but telnet to the same ip on port 8081 :
# telnet 184.108.40.206 8081
telnet: connect to address 220.127.116.11: Permission denied
If you won't open outbound ports by default, please provide a way we can request outbound ports to be open. I want telnet port 23 outbound open please.