Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts
- 
 Hey everyone, please excuse me for my english. It’s been a while i’m using FOG at work but i encounter a problem, i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts. On my Firewall (Centos 7 with firewalld and iptables) i tried to only accept the port FOG need but when i accept the port find on : https://wiki.fogproject.org/wiki/index.php?title=FOGUserGuide#Full_Listing_of_Ports_used_by_FOG_server_and_client 
 The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…)
 But i can capture and deploy without a problemCan i have some help Thanks P.S. : If there is some french folks who can help me in my native language it would be awesome 
- 
 @Seb77 said in Ports used between the FOG Master and the FOG Node and between FOG Node and Hosts: i try to secure the communication between the FOG Master and the Node and between the FOG Node and hosts FOG uses FTP protocoll (replication from master to storage node) which is not great secruity-wise. Actually it’s hell. We have discussed this a fair bit but it just takes too much work to quickly switch to a different protocol and so it’s still in use. For FTP you need to open high ports (1024 – 65535) as FTP opens data connections on random port numbers which renders firewall security mostly useless. The site of the FOG Master bug (i can’t see other Node other than the one of the FOG MASTER, can’t go on some tab…) Can you please explain exactly what the issue is here? Maybe post a screenshot which tells more than a thousand words. If there is some french folks who can help me in my native language it would be awesome Sorry, not me. Never learned it at school. 
- 
 First of all thank’s for the reply 
 There is a screenshot of the error when i try to access some tab (Can be all of the tabs it depends)
  I got this error only when i have the firewall active. If i understand well there is no way to totaly secure the fog communication because of the FTP protocol ? 
 The problem is that i have to deploy a Node for a client who need everything 100% secure, can’t i use an other protocol then FTP ?
- 
 And there is my TEST iptables config 
 iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
 iptables -t filter -A INPUT -p udp -m udp --dport 3306 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
 iptables -t filter -A INPUT -p udp -m udp --dport 69 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
 iptables -t filter -A INPUT -p udp -m udp --dport 111 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
 iptables -t filter -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
 iptables -t filter -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
 iptables -t filter -A INPUT -p udp -m udp --dport 1024:65535 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
 iptables -t filter -A OUTPUT -p udp -m udp --sport 3306 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
 iptables -t filter -A OUTPUT -p udp -m udp --sport 69 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 111 -j ACCEPT
 iptables -t filter -A OUTPUT -p udp -m udp --sport 111 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 2049 -j ACCEPT
 iptables -t filter -A OUTPUT -p udp -m udp --sport 2049 -j ACCEPT
 iptables -t filter -A OUTPUT -p tcp -m tcp --sport 1024:65535 -j ACCEPT
 iptables -t filter -A OUTPUT -p udp -m udp --sport 1024:65535 -j ACCEPT
 iptables -t filter -t filter -A INPUT -j DROP
 iptables -t filter -t filter -A OUTPUT -j DROP
- 
 FWIW one of the previous developers created a small cheat sheet for setting up firewall rules for FOG: https://forums.fogproject.org/topic/6162/firewall-configuration 
- 
 @Seb77 Some Linux services like Apache and PHP-FPM communicate through the local loopback device called loand you need to add a rule to allow that traffic as well. Otherwise you get the error posted in the picture.
- 
 @Seb77 this might be helpful. https://wiki.fogproject.org/wiki/index.php?title=CentOS_7#Continue_pre-config 
 The services are listed, and some UDP ports. This config does work.

