Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts
-
Hey everyone, please excuse me for my english.
It’s been a while i’m using FOG at work but i encounter a problem, i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts.
On my Firewall (Centos 7 with firewalld and iptables) i tried to only accept the port FOG need but when i accept the port find on : https://wiki.fogproject.org/wiki/index.php?title=FOGUserGuide#Full_Listing_of_Ports_used_by_FOG_server_and_client
The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…)
But i can capture and deploy without a problemCan i have some help
Thanks
P.S. : If there is some french folks who can help me in my native language it would be awesome
-
@Seb77 said in Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts:
i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts
FOG uses FTP protocoll (replication from master to storage node) which is not great secruity-wise. Actually it’s hell. We have discussed this a fair bit but it just takes too much work to quickly switch to a different protocol and so it’s still in use. For FTP you need to open high ports (1024 – 65535) as FTP opens data connections on random port numbers which renders firewall security mostly useless.
The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…)
Can you please explain exactly what the issue is here? Maybe post a screenshot which tells more than a thousand words.
If there is some french folks who can help me in my native language it would be awesome
Sorry, not me. Never learned it at school.
-
First of all thank’s for the reply
There is a screenshot of the error when i try to access some tab (Can be all of the tabs it depends)
I got this error only when i have the firewall active.
If i understand well there is no way to totaly secure the fog communication because of the FTP protocol ?
The problem is that i have to deploy a Node for a client who need everything 100% secure, can’t i use an other protocol then FTP ? -
And there is my TEST iptables config
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 69 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 1024:65535 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport 3306 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport 69 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 111 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport 111 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 2049 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport 2049 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --sport 1024:65535 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport 1024:65535 -j ACCEPT
iptables -t filter -t filter -A INPUT -j DROP
iptables -t filter -t filter -A OUTPUT -j DROP -
FWIW one of the previous developers created a small cheat sheet for setting up firewall rules for FOG: https://forums.fogproject.org/topic/6162/firewall-configuration
-
@Seb77 Some Linux services like Apache and PHP-FPM communicate through the local loopback device called
loand you need to add a rule to allow that traffic as well. Otherwise you get the error posted in the picture. -
@Seb77 this might be helpful. https://wiki.fogproject.org/wiki/index.php?title=CentOS_7#Continue_pre-config
The services are listed, and some UDP ports. This config does work.