Child pages
  • TUSK Firewall Defaults
Skip to end of metadata
Go to start of metadata

TUSK Firewall Defaults

TUSK servers only need a few services exposed to the local network, or the network at large. They are:

  • SSH port 22/tcp - This provides shell access for system management. Access should be restricted to only internal hosts or networks: TUSK servers that are exposed to the Internet should not leave SSH exposed to anything but local administrative accounts and servers, to protect them.
  • HTTP port 80/tcp - Basic web service port. This is typically accessible to the entire local network or to the Internet at large for public sites.
  • HTTPS port 443/tcp - Encrypted web service port. This handles secured web traffic, and should be exposed to the same entire local network or the Internet at large.
  • MySQL port 3306/tcp - Database access for TUSK. This should allow access only to the TUSK web servers and to designated MySQL slaves for backup or failover access.
  • NFS - TUSK servers may be NFS clients of a NAS or storage server, to allow the TUSK hosts to share uploaded data. This storage should be only accessible from the TUSK servers.

No other ports are required. Optional ports that may be useful for monitoring include:

  • SNMP port 161/udp - Local monitoring tools like MRTG or rrdtool may need this, but the service should be restricted to password protected access only from local hosts or local VLANS.
  • NRPE port 5666/tcp - Nagios or Icinga can use NRPE for running local Nagios checks or shell commands. Configure with caution: the "nrpe.cfg" file can also be used to restrict NRPE access. 

Custom MySQL IPtables Firewall

  1. Create a customized, root-owned /etc/sysconfig/iptables.mysql file with something like this content:
    -A INPUT -i eth0 -p tcp -s --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -s --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    1. The rule restricts access to the front end ports of the Summer St. VLAN 168.
    2. The rule restricts access to the internal Tufts VLAN's, without limit.
    3. Seriously consider refining these rules to allow only designated hosts for production environments.
  2. Run the "system-config" tool to add this rule.
    1. The tool is "system-config-securitylevel" on RHEL or CentOS 5.
    2. The tool is "system-config-firewall-tui" on RHEL or CentOS 6.
    3. Select to customize the firewall.
      1. Keep passing through the screens until asked to "Use custom rules"
      2. Add a new rule, if necessary.
        1. The "Protocol Type" is "tcp".
        2. The "Firewall Table" is "filter".
        3. The "File" is "/etc/sysconfig/iptables.mysql".
  3. Make sure that a way to log directly into the console exists, firewall mistakes can interrupt services.
  4. Restart iptables.
    /sbin/chkconfig --list iptables
    /sbin/service iptables restart
  5. Test the rules.
  • No labels