What ports does FOG use?

fogcloud

I’ve used the info from the FOG wiki security page to make firewall rules on the server. So far this has worked well except for one thing. During the imaging process when it gets to the deployment script, it stops. I checked the server logs and a TCP port around 46500 was being blocked. I added it the rules and all was fine until the FOG server needed to be restarted. The port number then changed to a different TCP port around 55000. I conducted another test and sure enough the port number changed again after the server was restarted. The logs mentioned something about RPC.

My best guess based on my online searches and the FOG wiki article is that this has to due with NFS and dynamic ports. The article doesn’t elaborate more on what range of ports are required or the possibility to configure NFS to use static ports.

Does anyone have any insight or knowledge about this? Is it NFS? If so, what options do I have?

Tom Elliott

@fogcloud Specific to your changing tcp 46500, 55000, etc… etc… I think this was due to NFS and RPC-Bind

I have pushed code for dev-branch and working-1.6 (just this morning) that should maintain NFS static port to 20048 which can be both TCP and UDP. At least this way, it’s static.

AUTH IT Center

@fogcloud we have an ansible playbook to handle FOG firewall rules (firewalld) and the ports used are:

   allow_icmp:
      - echo-request
      - echo-reply
    services:
      - ftp
      - http
      - mountd
      - nfs
      - rpc-bind
      - tftp
    ports:
      - { port: 20048, proto: tcp }  # nfs
      - { port: 20048, proto: udp }  # nfs
      - { port: "35350-36350", proto: udp }  # tftp
      - { port: "49512-65532", proto: udp }  # multicast

the port 20048 is added on nfs.conf
the range 35350-36350 is added on tftp options
and the 49512-65532 is for all the dynamic ports

Tom Elliott

@AUTH-IT-Center @fogcloud I will work toward firewall-cmd (as that’s the system I’m using - Fedora 40) but the services I have enabled on mine:
(Standard server - I’m working with 1.6 so bare with that as well)

services: ftp, http, https, mountd, nfs, rpc-bind, ssh, tftp # this will often include ports
ports:
{port: 111, protos: udp, tcp} # Portmapper - NFS uses this
{port: 49512-65532, protos: udp} # multicast

if we want ports related to each service:

20, 21 TCP - FTP
22 TCP - SSH
69 UDP - TFTP
80 TCP - HTTP
111 TCP, UDP - PORTMAPPER, RPC-BIND
443 TCP - HTTPS
20048 TCP, UDP - MOUNTD
49512-65532 UDP - MULTICAST (if you really want to get down to it, these should only be even numbered ports as well - to lessen number of open ports)

If you have a dhcp server, I think you’d need:

67-68 UDP

Now to be fair I don’t know if there’s anything else necessary but I think this would cover everything you would be needed. TFTP is only needed for the initial getting of the files during PXE boot so I believe that will always be port 69, no need for the UDP ports (though happy to be corrected if needed.)

Tom Elliott

@fogcloud Specific to your changing tcp 46500, 55000, etc… etc… I think this was due to NFS and RPC-Bind

I have pushed code for dev-branch and working-1.6 (just this morning) that should maintain NFS static port to 20048 which can be both TCP and UDP. At least this way, it’s static.

fogcloud

@Tom-Elliott @AUTH-IT-Center
Thank you both very much for the fast and detailed responses! NFS mountd was indeed the culprit. Port 20048 was allowed, but I wasn’t aware that this needed to be configured in the nfs.conf file. Confirmed that imaging is working now.