Bug 1016805 - LIft port-based restrictions on outbound connections
LIft port-based restrictions on outbound connections
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Jhon Honce
libra bugs
Depends On:
  Show dependency treegraph
Reported: 2013-10-08 13:45 EDT by Andy Grimm
Modified: 2016-11-07 22:47 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-28 19:36:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andy Grimm 2013-10-08 13:45:31 EDT
We routinely get questions in the OpenShift forums and on IRC about "permission denied" errors on attempts to connect to an external service from an OpenShift gear.  Port 8081 has come up multiple times, but others have been requested.  I have not seen a clear list of which ports we allow, or an explanation of what we are achieving by blocking ports.  For malicious users, working around this is trivial, while for legitimate users, it only causes confusion and frustration when they hit it.  Please consider lifting this restriction entirely, or switching to a publicly defined blacklist with some explanation for the blocked ports.
Comment 1 Jhon Honce 2013-10-28 19:36:42 EDT
The  Red Hat security team feels unrestricted outbound connections is too  dangerous. The OpenShift Operations team has agreed with them.
Comment 2 Peter Zeltins 2013-11-01 11:28:58 EDT
So how can I allow outgoing connection from Openshift app to external service on non-standard port for legitimate purposes?
Comment 3 ilnextbus 2013-12-15 14:58:26 EST

+1 for Peter's question.

I really would like to understand what is the difference between outgoing port 8081 and 8082 ? 
Outgoing port 8082 is wide open but 8081 is closed, for example :

# telnet 8082
Connected to
Escape character is '^]'.
GET /index.html

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.0  Java/Oracle Corporation/1.7)
Server: GlassFish Server Open Source Edition  4.0 
Accept-Ranges: bytes

but telnet to the same ip on port 8081 :
# telnet 8081
telnet: connect to address Permission denied

Comment 4 Derrick Karimi 2014-02-28 23:40:51 EST
If you won't open outbound ports by default, please provide a way we can request outbound ports to be open.  I want telnet port 23 outbound open please.

Note You need to log in before you can comment on or make changes to this bug.