Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Capsule_Server_Prerequisites.html#brid-Connections_from_Satellite_to_Capsule Section Number and Name: 7.2.3. Network Ports Required for Capsule Communications Describe the issue: Port 5646,5647,443 not included for ports that need to be open on the capsule Suggestions for improvement: Adding the proper syntax iptables/firewall-cmd commands to add ports 5646, 5647, and 443 Additional information:
See also Bug 1275049 - Capsule install on AWS instance fails
Hello Taft is it possible you have 6.1 and 6.2 Beta docs mixed up and you were trying to tell us you miss the table in 6.2 Beta? Thank you
Hey Stephen, A customer requested that our documentation state which ports need to be two-way or one-way specific. Their network environment is very strict and each port has to be requested to be opened, for what reasons, what kind of traffic it will be used for, and if the port needs to be two-way or one-way. I have provided the customer with the Satellite 6 communication matrix spreadsheet that was provided to me. I will attach it to the case for your review.
Also, in addition the customer requested the commands for iptables and firewalld be added to the documentation so they may copy and paste from the documentation.
Created attachment 1162818 [details] Satellite 6 communication matrix
(In reply to Taft Sanders from comment #5) > Hey Stephen, > > A customer requested that our documentation state which ports need to be > two-way or one-way specific. Their network environment is very strict and > each port has to be requested to be opened, for what reasons, what kind of > traffic it will be used for, and if the port needs to be two-way or one-way. > So that is not the same as comment 0 We have similar request here: Bug 1315972 - Network flow , ports for patching and provisioning activities on satellite 6 Is this bug a duplicate? Can we close as duplicate? > two-way or one-way specific That question puzzles me. I am not sure what I should put in the guide. TCP is bi-directional by design and UDP is not. For TCP, if you have a stateful firewall you just open in the outgoing direction. I have never used a non-stateful firewall, so I do not know if you have to open in both directions permanently when you see TCP mentioned in the table, or if there are more option (such as to simulate stateful firewall behavior) but as long as the direction is clear from the tables in the installation guide, then the firewall admin should be able to work this out. That is the purpose of the per-direction tables added to the 6.1 Docs, to provide the info required to plan what network based firewall changes are required. The only UDP communications in the tables are those used by TFTP and DHCP during provisioning. TFTP does send UDP packets in both directions, but the traffic is only initiated by the client, on a random port, and the destination port is 69 (server side). The DHCP service uses broadcast UDP packets, 67 is source and destination for the server and the client sends and receives on 68. You can think of that as bi-directional I suppose as the ports are known on both sides (no random source port in this case). We are preparing a diagram to show these paths.
Hey Stephen, Bug 1315972 does look like it would resolve the same information requested by the customer. I will mark this case as duplicate of 1315972. Thanks *** This bug has been marked as a duplicate of bug 1315972 ***