Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts



  • Hey everyone, please excuse me for my english.

    It’s been a while i’m using FOG at work but i encounter a problem, i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts.

    On my Firewall (Centos 7 with firewalld and iptables) i tried to only accept the port FOG need but when i accept the port find on : https://wiki.fogproject.org/wiki/index.php?title=FOGUserGuide#Full_Listing_of_Ports_used_by_FOG_server_and_client
    The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…)
    But i can capture and deploy without a problem

    Can i have some help

    Thanks

    P.S. : If there is some french folks who can help me in my native language it would be awesome



  • @Seb77 this might be helpful. https://wiki.fogproject.org/wiki/index.php?title=CentOS_7#Continue_pre-config
    The services are listed, and some UDP ports. This config does work.


  • Senior Developer

    @Seb77 Some Linux services like Apache and PHP-FPM communicate through the local loopback device called lo and you need to add a rule to allow that traffic as well. Otherwise you get the error posted in the picture.


  • Moderator

    FWIW one of the previous developers created a small cheat sheet for setting up firewall rules for FOG: https://forums.fogproject.org/topic/6162/firewall-configuration



  • And there is my TEST iptables config
    iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
    iptables -t filter -A INPUT -p udp -m udp --dport 3306 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -t filter -A INPUT -p udp -m udp --dport 69 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
    iptables -t filter -A INPUT -p udp -m udp --dport 111 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
    iptables -t filter -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
    iptables -t filter -A INPUT -p udp -m udp --dport 1024:65535 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m udp --sport 3306 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m udp --sport 69 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 111 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m udp --sport 111 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 2049 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m udp --sport 2049 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp -m tcp --sport 1024:65535 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m udp --sport 1024:65535 -j ACCEPT
    iptables -t filter -t filter -A INPUT -j DROP
    iptables -t filter -t filter -A OUTPUT -j DROP



  • First of all thank’s for the reply
    There is a screenshot of the error when i try to access some tab (Can be all of the tabs it depends)
    Forum.PNG

    I got this error only when i have the firewall active.

    If i understand well there is no way to totaly secure the fog communication because of the FTP protocol ?
    The problem is that i have to deploy a Node for a client who need everything 100% secure, can’t i use an other protocol then FTP ?


  • Senior Developer

    @Seb77 said in Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts:

    i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts

    FOG uses FTP protocoll (replication from master to storage node) which is not great secruity-wise. Actually it’s hell. We have discussed this a fair bit but it just takes too much work to quickly switch to a different protocol and so it’s still in use. For FTP you need to open high ports (1024 – 65535) as FTP opens data connections on random port numbers which renders firewall security mostly useless.

    The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…)

    Can you please explain exactly what the issue is here? Maybe post a screenshot which tells more than a thousand words.

    If there is some french folks who can help me in my native language it would be awesome

    Sorry, not me. Never learned it at school.


Log in to reply
 

343
Online

7.2k
Users

14.4k
Topics

135.7k
Posts