NFM-P firewall and NAT rules
Overview
Firewall rules are applied to the incoming network interface traffic of the NFM-P stations. As a rule, firewall rules are not applied to the outgoing network interface traffic.
For NFM-P installations using RHEL as the Operating System, the RHEL supplied firewall can be used to filter network traffic using filter rules lists. Only experienced system administrators with extensive knowledge of the RHEL firewall should attempt to implement the filter rules lists provided with each NFM-P component. All others should disable the RHEL firewall.
The installation of each NFM-P component will include the filter rules lists to be applied for successful communication between different NFM-P components, XML API clients, and network elements. The table below defines the location
Table 6-19: Sample firewalld filter rules lists file locations
|
Component |
Protocol |
File location |
|---|---|---|
|
NFM-P server |
IPv4/IPv6 |
/opt/nsp/nfmp/server/nms/sample/firewall/ |
|
NFM-P database |
IPv4/IPv6 |
/opt/nsp/nfmp/db/install/sample/firewall/ |
|
NFM-P Statistics auxiliary |
IPv4/IPv6 |
/opt/nsp/nfmp/auxserver/nms/sample/firewall/ |
|
NSP Flow Collector Controller |
IPv4/IPv6 |
/opt/nsp/flow/fcc/sample/firewalld/ |
|
NSP Flow Collector |
IPv4/IPv6 |
/opt/nsp/flow/fc/sample/firewalld/ |
|
NFM-P auxiliary database |
IPv4 |
/opt/nsp/nfmp/auxdb/install/config/sample/firewall/ |
|
NFM-P client |
IPv4/IPv6 |
<base client install dir>/nms/sample/firewall/ |
|
NFM-P client delegate server |
IPv4/IPv6 |
<base client install dir>/nms/sample/firewall/ |
It is imperative that all rules are considered completely for the NFM-P systems to inter-operate correctly. The following tables will define the connection details. Within the section there will be a number of conditions that indicate whether or not that particular table or connection needs to be applied.
See NFM-P Network Address Translation for supported NAT configurations.
NFM-P server firewall and NAT rules
When there is a firewall at the NFM-P server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces
Table 6-20: Firewall rules for traffic connecting to the NFM-P server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server (public address) |
Any |
21 |
TCP |
3 |
Connection to NFM-P server private address (if NAT in use) |
|
XML API client |
Any |
21 |
TCP |
3 |
If FTP is required |
|
NSP flow collector controller |
Any |
21 |
TCP |
1 |
If FTP is used |
|
NFM-P server |
Any |
22 |
TCP |
1 |
From the redundant NFM-P server |
|
XML API client |
Any |
22 |
TCP |
3 |
If SCP / SFTP is required |
|
NSP flow collector controller |
Any |
22 |
TCP |
1 |
If SCP / SFTP is used |
|
9500 MPR / Wavence |
Any |
22 |
TCP |
2 / 4 |
NE backups |
|
NFM-P server |
Any |
443 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration |
|
NFM-P GUI client |
Any |
443 |
TCP |
3 |
HTTPS |
|
Managed Network |
Any |
162 |
UDP |
2 / 4 |
SNMP trap initiated from the NE |
|
Managed Network |
Any |
-- |
ICMP |
2 / 4 |
Ping policy |
|
1830 SMS HSM Server |
5552 |
758 |
TCP |
2 / 4 |
nlogin |
|
NFM-P server (public address) |
>1023 |
>1023 |
TCP |
3 |
Connection to NFM-P server private address (if NAT in use) |
|
NFM-P GUI client / XML API client |
Any |
1097 |
TCP |
3 |
JMS |
|
NFM-P auxiliary server |
Any |
1097 |
TCP |
1 |
JMS |
|
NFM-P server |
Any |
1099 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P GUI client / XML API client |
Any |
1099 |
TCP |
3 |
JNDI |
|
NFM-P auxiliary server |
Any |
1099 |
TCP |
1 |
JNDI |
|
NSP flow collector controller |
Any |
1099 |
TCP |
1 |
JNDI |
|
NFM-P server |
Any |
2181 |
TCP |
1 |
(nspOS) zookeeper non-secure. From the redundant NFM-P server, without NSP integration. |
|
NFM-P auxiliary server |
Any |
2181 |
TCP |
1 |
(nspOS) zookeeper non-secure |
|
NSP flow collector controller |
Any |
2181 |
TCP |
1 |
(nspOS) zookeeper non-secure |
|
NFM-P server |
Any |
2281 |
TCP |
1 |
(nspOS) zookeeper secure. From the redundant NFM-P server, without NSP integration. |
|
NFM-P auxiliary server |
Any |
2281 |
TCP |
1 |
(nspOS) zookeeper secure |
|
NSP flow collector controller |
Any |
2281 |
TCP |
1 |
(nspOS) zookeeper secure |
|
NFM-P server |
Any |
2390 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P GUI client / XML API client |
Any |
4447 |
TCP |
3 |
JMS |
|
NFM-P auxiliary server |
Any |
4447 |
TCP |
1 |
JMS |
|
NFM-P server |
Any |
5007 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
6007 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
6432 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
6432 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
7473 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
7687 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
7879 |
TCP |
1 |
From the redundant NFM-P server |
|
NSP flow collector controller |
Any |
7879 |
TCP |
1 |
CPROTO |
|
XML API client |
Any |
8080 |
TCP |
3 |
HTTP |
|
NSP flow collector controller |
Any |
8080 |
TCP |
1 |
HTTP |
|
NFM-P GUI client |
Any |
8085 |
TCP |
3 |
HTTP |
|
NFM-P server |
Any |
8087 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
8087 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration |
|
NFM-P GUI client |
Any |
8087 |
TCP |
3 |
HTTP(S) |
|
NFM-P GUI client |
Any |
8088 |
TCP |
3 |
HTTP(S) |
|
NFM-P GUI client |
Any |
8089 |
TCP |
3 |
HTTP(S) |
|
NSP |
Any |
8097 |
TCP |
1 |
From NSP, shared-mode only. |
|
XML API client |
Any |
8443 |
TCP |
3 |
HTTPS |
|
NSP flow collector controller |
Any |
8443 |
TCP |
1 |
HTTPS |
|
NFM-P GUI client |
Any |
8444 |
TCP |
3 |
HTTPS |
|
NFM-P server |
Any |
8543 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P GUI client / Web client |
Any |
8543 |
TCP |
3 |
HTTPS |
|
NFM-P GUI client / Web client |
Any |
8544 |
TCP |
3 |
HTTPS |
|
RESTCONF client |
Any |
8545 |
TCP |
3 |
HTTPS |
|
NFM-P server |
Any |
8617 |
TCP |
1 |
From redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
9010 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
9092 |
TCP |
1 |
From redundant NFM-P server, without NSP integration. |
|
NSP Cluster |
Any |
9100 |
TCP |
1 |
Node-exporter |
|
NFM-P server |
Any |
9192 |
TCP |
1 |
From redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
9192 |
TCP |
1 |
From redundant NFM-P server, without NSP integration. |
|
kafka client |
Any |
9192 |
TCP |
3 |
(nspOS) kafka secure |
|
Web client |
Any |
9443 |
TCP |
3 |
Swagger interface for HSM |
|
NFM-P server |
Any |
10290 |
TCP |
1 |
From the redundant NFM-P server, without NSP integration. |
|
NFM-P server |
Any |
11800 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
12010 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
12300-12307 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P auxiliary server |
Any |
12300-12307 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12800 |
TCP |
1 |
-- |
Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).
NFM-P database firewall
When there is a firewall at the NFM-P database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces)/
Table 6-21: Firewall rules for traffic connecting to the NFM-P database
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P database |
Any |
22 |
TCP |
1 |
|
|
NFM-P server |
Any |
1523 |
TCP |
1 |
|
|
NFM-P database |
Any |
1523 |
TCP |
1 |
From the redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
1523 |
TCP |
1 |
|
|
NSP analytics server |
Any |
1523 |
TCP |
1 |
|
|
NFM-P server |
Any |
9002 |
TCP |
1 |
|
|
NFM-P database |
9002 |
9002 |
TCP |
1 |
From the redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
9002 |
TCP |
1 |
|
|
NFM-P server |
Any |
9003 |
TCP |
1 |
|
|
NFM-P database |
9003 |
9003 |
TCP |
1 |
From redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
9003 |
TCP |
1 |
NFM-P auxiliary server firewall and NAT rules
When there is a firewall at the NFM-P auxiliary server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-22: Firewall rules for traffic connecting to the NFM-P auxiliary server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P auxiliary server public address |
Any |
21 |
TCP |
3 |
Connect to NFM-P auxiliaryserver private address (for NAT) If FTP is required |
|
XML-API Client |
Any |
21 |
TCP |
3 |
If FTP is required |
|
XML-API Client |
Any |
22 |
TCP |
3 |
If SFTP is required |
|
NFM-P auxiliary server |
Any |
22 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NFM-P auxiliary server public address |
>1023 |
>1023 |
TCP |
3 |
Connect to NFM-P auxiliary server private address (for NAT) If FTP is required |
|
NFM-P auxiliary server |
Any |
1095 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NSP Cluster |
Any |
9100 |
TCP |
1 |
Node-exporter |
|
NFM-P server |
Any |
12300 - 12307 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12300 - 12307 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NFM-P server |
Any |
12800 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12800 |
TCP |
1 |
From redundant NFM-P auxiliary server |
Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).
NSP flow collector controller firewall rules
When there is a firewall at the NSP flow collector controller, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-23: Firewall rules for traffic connecting to the NSP flow collector controller
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server / Dedicated file server |
Any |
21 |
TCP |
1 |
If FTP is required |
|
NFM-P server / Dedicated file server |
Any |
22 |
TCP |
1 |
If SFTP is required |
|
NSP flow collector controller |
Any |
1090 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
1098 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
1099 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
4444 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
4445 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
4446 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector controller |
Any |
4457 |
TCP |
1 |
Inter-process communication |
|
NFM-P server |
Any |
7879 |
TCP |
1 |
CPROTO |
|
NSP |
Any |
7879 |
TCP |
1 |
CPROTO |
|
Web Client |
Any |
8080 |
TCP |
3 |
Admin WebUI (non-secure) |
|
NSP flow collector controller |
Any |
8083 |
TCP |
1 |
Inter-process communication |
|
Web Client |
Any |
8443 |
TCP |
1 |
Admin WebUI (secure) |
|
NSP flow collector controller |
Any |
9443 |
TCP |
1 |
Inter-process communication |
|
NSP flow collector |
Any |
22222 |
TCP |
1 |
SFTP |
|
NSP flow collector controller |
Any |
44444 |
TCP |
1 |
Inter-process communication |
NSP flow collector firewall rules
When there is a firewall at the NSP flow collectorr, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-24: Firewall rules for traffic connecting to the NSP flow collector
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server / Dedicated file server |
Any |
21 |
TCP |
1 |
If FTP is required |
|
NFM-P server / Dedicated file server |
Any |
22 |
TCP |
1 |
If SFTP is required |
|
Managed Network |
Any |
2205 |
UDP |
2 / 4 |
CGNAT / IPFIX records |
|
Managed Network |
Any |
4739 |
UDP |
2 / 4 |
AA cflowd records |
|
NFM-P server |
Any |
7879 |
TCP |
1 |
CPROTO |
|
NSP |
Any |
7879 |
TCP |
1 |
CPROTO |
|
Web Client |
Any |
8080 |
TCP |
3 |
Admin WebUI (non-secure) |
|
NSP flow collector |
Any |
8083 |
TCP |
1 |
Inter-process communication |
|
Web Client |
Any |
8443 |
TCP |
1 |
Admin WebUI (secure) |
|
NSP flow collector controller |
Any |
44444 |
TCP |
1 |
Inter-process communication |
NFM-P auxiliary database firewall rules
When there is a firewall at the NFM-P auxiliary database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Since the inter-node communication should traverse a private LAN, it is not recommended to implement a firewall on this interface.
Table 6-25: Firewall rules for traffic connecting to the NFM-P auxiliary database
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P auxiliary database |
Any |
22 |
TCP |
1 |
SFTP between clusters |
|
NSP flow collector |
Any |
5433 |
TCP |
1 |
JDBC |
|
NFM-P server |
Any |
5433 |
TCP |
1 |
JDBC |
|
NFM-P statistics auxiliary |
Any |
5433 |
TCP |
1 |
JDBC |
|
NSP analytics server |
Any |
5433 |
TCP |
1 |
JDBC |
|
NFM-P server |
Any |
7299 |
TCP |
1 |
RMI secure = true |
|
NFM-P server |
Any |
7299 - 7309 |
TCP |
1 |
RMI secure - false |
|
NFM-P auxiliary database |
Any |
50000 |
TCP |
1 |
Rsync between clusters |
NSP analytics server firewall rules
When there is a firewall at the NSP analytics server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-26: Firewall rules for traffic connecting to the NSP analytics server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server |
Any |
8080 |
TCP |
1 |
HTTP |
|
NFM-P client |
Any |
8080 |
TCP |
1 |
HTTP |
|
NFM-P server |
Any |
8443 |
TCP |
1 |
HTTPS |
|
Web client |
Any |
8443 |
TCP |
1 |
HTTPS |
NFM-P client and client delegate firewall rules
When there is a firewall at the client or client delegate, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-27: Firewall rules for traffic connecting to the NFM-P client and client delegate
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server |
-- |
-- |
ICMP |
3 |
Ping Client delegate only |
|
Managed Network |
Any |
20 |
TCP |
2 / 4 |
Active FTP 9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
21 |
TCP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
22 |
TCP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
162 |
UDP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP 9500 MPR / Wavence (NEtO) |
|
Managed Network |
5010 |
5010 |
UDP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
Managed network firewall rules
When there is a firewall at the managed network, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-28: Firewall rules for traffic connecting to the managed network
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server |
Any |
21 |
TCP |
2 / 4 |
FTP |
|
NFM-P auxiliary server |
Any |
21 |
TCP |
2 / 4 |
FTP NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
21 |
TCP |
2 / 4 |
FTP 9500 MPR / Wavence Management |
|
NFM-P server |
Any |
22 |
TCP |
2 / 4 |
SSH |
|
NFM-P auxiliary server |
Any |
22 |
TCP |
2 / 4 |
SSH NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
22 |
TCP |
2 / 4 |
SFTP 9500 MPR / Wavence Management (MSS-8/4/1) |
|
NFM-P server |
Any |
23 |
TCP |
2 / 4 |
Telnet |
|
NFM-P auxiliary server |
Any |
23 |
TCP |
2 / 4 |
Telnet NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
23 |
TCP |
2 / 4 |
Telnet 9500 MPR / Wavence Management |
|
NFM-P client |
Any |
80 |
TCP |
2 / 4 |
HTTP (GNE / Omni) |
|
NFM-P client (NEtO) |
Any |
80 |
TCP |
2 / 4 |
HTTP 9500 MPR / Wavence (MSS-8/4/1 and 9400 AWY) |
|
NFM-P server |
Any |
161 |
UDP |
2 / 4 |
SNMP |
|
NFM-P auxiliary server |
Any |
161 |
UDP |
2 / 4 |
SNMP NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
161 |
UDP |
2 / 4 |
SNMP 9500 MPR / Wavence Management |
|
NFM-P client |
Any |
443 |
TCP |
2 / 4 |
HTTPS (GNE / Omni) |
|
NFM-P server |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer |
|
NFM-P auxiliary server |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer 9500 MPR / Wavence Management |
|
NFM-P server |
Any |
1491 |
TCP |
2 / 4 |
SNMP Streaming |
|
NFM-P server |
Any |
5001 |
TCP |
2 / 4 |
CPAA / vCPAA |
|
NFM-P client (NEtO) |
5010 |
5010 |
UDP |
2 / 4 |
SNMP 9500 MPR / Wavenece (MSS-8/4/1) |
|
NFM-P client (NEtO) |
Any |
11500 |
UDP |
2 / 4 |
Equipment View (GUI) 9500 MPR / Wavenece (MSS-1C / MPR-e) |
pki-server firewall rules
When there is a firewall at the pki-server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-29: Firewall rules for traffic connecting to the pki-server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P main server |
Any |
2391 |
TCP |
1 |
|
|
NFM-P database server |
Any |
2391 |
TCP |
1 |
|
|
NFM-P auxiliary server |
Any |
2391 |
TCP |
1 |
|
|
NFM-P auxiliary database server |
Any |
2391 |
TCP |
1 |
|
|
NSP analytics server |
Any |
2391 |
TCP |
1 |
|
|
NSP flow collector |
Any |
2391 |
TCP |
1 |
Remote authentication server firewall rules
When there is a firewall at the remote authentication servers, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-30: Firewall rules for traffic connecting to remote authentication servers
|
Source |
Source port |
Destination port |
Protocol |
Notes | |
|---|---|---|---|---|---|
|
NFM-P server |
Any |
49 |
TCP / UDP |
TACACS | |
|
NFM-P server |
Any |
389 |
TCP / UDP |
LDAP | |
|
NFM-P server |
Any |
636 |
TCP / UDP |
LDAPS | |
|
NFM-P server |
Any |
1812 |
UDP |
RADIUS | |