Description of problem: when installing RHEL-OSP-Installer with iptables port 80/443 should be opened only from management interface All other ports (DHCP/TFTP/DNS .... ) should be opened only on provision interface Current status - ports are opened on all interfaces ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 443 /* 443 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns tcp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns udp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 69 /* 69 accept - tftp */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 80 /* 80 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 8140 /* 8140 accept - puppetmaster */ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.check iptables on rhel-osp-installer host 2.port 80/443 must be opened on management interface only 3.port 8140/53/69 4.DHCP port must be opened as well (67/68) Actual results: Expected results: Additional info:
(In reply to Ofer Blaut from comment #0) > Description of problem: > > when installing RHEL-OSP-Installer with iptables > > port 80/443 should be opened only from management interface > All other ports (DHCP/TFTP/DNS .... ) should be opened only on provision > interface > > Current status - ports are opened on all interfaces > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 443 /* 443 accept - apache */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 53 /* 53 accept - dns tcp */ > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 53 /* 53 accept - dns udp */ > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 69 /* 69 accept - tftp */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 80 /* 80 accept - apache */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 8140 /* 8140 accept - puppetmaster */ > > > Version-Release number of selected component (if applicable): > > > How reproducible: > > > Steps to Reproduce: > 1.check iptables on rhel-osp-installer host > 2.port 80/443 must be opened on management interface only > 3.port 8140/53/69 > 4.DHCP port must be opened as well (67/68) port 8443 should be opened as well for * Foreman Proxy is running at https://puma33.scl.lab.tlv.redhat.com:8443 " > > Actual results: > > > Expected results: > > > Additional info:
workaround iptables -A INPUT -p udp --dport 67 -j ACCEPT iptables -A INPUT -p tcp --dport 8443 -j ACCEPT iptables-save > /etc/sysconfig/iptables
To be honest, I'm not sure there should be any ports blocked on the management network -- it's just going to cause problems with NFS, NTP, etc. etc. Obviously yes you want them closed on the external network...
port 8443 should not be opened. it's only used internally for the proxy. connections are only from localhost. Patch for port 67 https://github.com/theforeman/foreman-installer-staypuft/pull/57
(In reply to Ofer Blaut from comment #0) > Description of problem: > > Steps to Reproduce: > 1.check iptables on rhel-osp-installer host > 2.port 80/443 must be opened on management interface only I do not agree with this specific point. 80/443 should be opened on all interfaces. The user will likely want to access the Foreman web interface from either the pxe network (and in fact has to, since Puppet on the managed network will need access) but will likely also want to access the provisioning server from outside of that network. So this point is not valid.
Verified: FailedQA rhel-osp-installer-0.1.6-5.el6ost.noarch No need to open port 68. Need to add IPTABLES_MODULES="nf_conntrack_netbios_ns ip_conntrack_tftp" to /etc/sysconfig/iptables-config.
Allowed port 68 in https://github.com/theforeman/foreman-installer-staypuft/pull/66 and created a clone bug to allow modules, which is not that straightforward.
Verified: rhel-osp-installer-0.1.9-1.el6ost.noarch Taking in mind the comments, verifying this bug, as the following rules are added: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 22 /* 22 accept - ssh */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 443 /* 443 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns tcp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns udp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 67 /* 67 accept - dhcp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 68 /* 68 accept - bootp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 69 /* 69 accept - tftp */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 80 /* 80 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 8140 /* 8140 accept - puppetmaster */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED For comment #8: https://bugzilla.redhat.com/show_bug.cgi?id=1127724
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1090.html