Additional NSP component firewall and NAT rules
Overview
Firewall rules are applied to the incoming network interface traffic. As a rule, firewall rules are not applied to the outgoing network interface traffic.
For installations using RHEL as the Operating System, the RHEL supplied firewall can be used to filter network traffic using filter rules lists. Only experienced system administrators with extensive knowledge of the RHEL firewall should attempt to implement the filter rules lists provided with each component. All others should disable the RHEL firewall.
The installation of each component will include the filter rules lists to be applied for successful communication between different NSP components, XML API clients, and network elements. The table below defines the location
Table 6-17: Sample firewalld filter rules lists file locations
|
Component |
Protocol |
File location |
|---|---|---|
|
NFM-P server |
IPv4/IPv6 |
/opt/nsp/nfmp/server/nms/sample/firewall/ |
|
NFM-P database |
IPv4/IPv6 |
/opt/nsp/nfmp/db/install/sample/firewall/ |
|
NFM-P Statistics auxiliary |
IPv4/IPv6 |
/opt/nsp/nfmp/auxserver/nms/sample/firewall/ |
|
NSP auxiliary database |
IPv4 |
/opt/nsp/nfmp/auxdb/install/config/sample/firewall/ |
|
NFM-P client |
IPv4/IPv6 |
<base client install dir>/nms/sample/firewall/ |
|
NFM-P client delegate server |
IPv4/IPv6 |
<base client install dir>/nms/sample/firewall/ |
It is imperative that all rules are considered completely for the NSP systems to inter-operate correctly. The following tables will define the connection details. Within the section there will be a number of conditions that indicate whether or not that particular table or connection needs to be applied.
See NFM-P Network Address Translation for supported NAT configurations.
NFM-P server firewall and NAT rules
When there is a firewall at the NFM-P server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces
Table 6-18: Firewall rules for traffic connecting to the NFM-P server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server (public address) |
Any |
21 |
TCP |
3 |
Connection to NFM-P server private address (if NAT in use) |
|
XML API client |
Any |
21 |
TCP |
3 |
If FTP is required |
|
NSP cluster |
Any |
21 |
TCP |
1 |
If FTP is used |
|
NFM-P server |
Any |
22 |
TCP |
1 |
From the redundant NFM-P server |
|
XML API client |
Any |
22 |
TCP |
3 |
If SCP / SFTP is required |
|
NSP cluster |
Any |
22 |
TCP |
1 |
If SCP / SFTP is used |
|
9500 MPR / Wavence |
Any |
22 |
TCP |
2 / 4 |
NE backups |
|
NFM-P GUI client |
Any |
443 |
TCP |
3 |
HTTPS |
|
Managed Network |
Any |
162 |
UDP |
2 / 4 |
SNMP trap initiated from the NE |
|
Managed Network |
Any |
-- |
ICMP |
2 / 4 |
Ping policy |
|
1830 SMS HSM Server |
5552 |
758 |
TCP |
2 / 4 |
nlogin |
|
NFM-P server (public address) |
>1023 |
>1023 |
TCP |
3 |
Connection to NFM-P server private address (if NAT in use) |
|
NFM-P GUI client / XML API client |
Any |
1097 |
TCP |
3 |
JMS |
|
NFM-P auxiliary server |
Any |
1097 |
TCP |
1 |
JMS |
|
NFM-P server |
Any |
1099 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P GUI client / XML API client |
Any |
1099 |
TCP |
3 |
JNDI |
|
NFM-P auxiliary server |
Any |
1099 |
TCP |
1 |
JNDI |
|
NSP cluster |
Any |
1099 |
TCP |
1 |
JNDI |
|
NFM-P GUI client / XML API client |
Any |
4447 |
TCP |
3 |
JMS |
|
NFM-P auxiliary server |
Any |
4447 |
TCP |
1 |
JMS |
|
NFM-P server |
Any |
7879 |
TCP |
1 |
From the redundant NFM-P server |
|
NSP cluster |
Any |
7879 |
TCP |
1 |
CPROTO |
|
XML API client |
Any |
8080 |
TCP |
3 |
HTTP |
|
NSP cluster |
Any |
8080 |
TCP |
1 |
HTTP |
|
NFM-P GUI client |
Any |
8085 |
TCP |
3 |
HTTP |
|
NFM-P server |
Any |
8087 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P GUI client |
Any |
8087 |
TCP |
3 |
HTTP(S) |
|
NFM-P GUI client |
Any |
8089 |
TCP |
3 |
HTTP(S) |
|
NSP |
Any |
8097 |
TCP |
1 |
From NSP |
|
XML API client |
Any |
8443 |
TCP |
3 |
HTTPS |
|
NSP cluster |
Any |
8443 |
TCP |
1 |
HTTPS |
|
NFM-P GUI client |
Any |
8444 |
TCP |
3 |
HTTPS |
|
NFM-P server |
Any |
8543 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P GUI client / Web client |
Any |
8543 |
TCP |
3 |
HTTPS |
|
NFM-P server |
Any |
9010 |
TCP |
1 |
From the redundant NFM-P server |
|
NSP Cluster |
Any |
9100 |
TCP |
1 |
Node-exporter |
|
Web client |
Any |
9443 |
TCP |
3 |
Swagger interface for HSM |
|
NFM-P server |
Any |
10290 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
11800 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
12010 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P server |
Any |
12300-12307 |
TCP |
1 |
From the redundant NFM-P server |
|
NFM-P auxiliary server |
Any |
12300-12307 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12800 |
TCP |
1 |
-- |
Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).
NFM-P database firewall
When there is a firewall at the NFM-P database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces)/
Table 6-19: Firewall rules for traffic connecting to the NFM-P database
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P database |
Any |
22 |
TCP |
1 |
|
|
NFM-P server |
Any |
1523 |
TCP |
1 |
|
|
NFM-P database |
Any |
1523 |
TCP |
1 |
From the redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
1523 |
TCP |
1 |
|
|
NSP server |
Any |
1523 |
TCP |
1 |
|
|
NFM-P server |
Any |
9002 |
TCP |
1 |
|
|
NFM-P database |
9002 |
9002 |
TCP |
1 |
From the redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
9002 |
TCP |
1 |
|
|
NFM-P server |
Any |
9003 |
TCP |
1 |
|
|
NFM-P database |
9003 |
9003 |
TCP |
1 |
From redundant NFM-P database |
|
NFM-P auxiliary server |
Any |
9003 |
TCP |
1 |
NFM-P auxiliary server firewall and NAT rules
When there is a firewall at the NFM-P auxiliary server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-20: Firewall rules for traffic connecting to the NFM-P auxiliary server
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P auxiliary server public address |
Any |
21 |
TCP |
3 |
Connect to NFM-P auxiliary server private address (for NAT) If FTP is required |
|
XML-API Client |
Any |
21 |
TCP |
3 |
If FTP is required |
|
XML-API Client |
Any |
22 |
TCP |
3 |
If SFTP is required |
|
NFM-P auxiliary server |
Any |
22 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NFM-P auxiliary server public address |
>1023 |
>1023 |
TCP |
3 |
Connect to NFM-P auxiliary server private address (for NAT) If FTP is required |
|
NFM-P auxiliary server |
Any |
1095 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NSP Cluster |
Any |
9100 |
TCP |
1 |
Node-exporter |
|
NFM-P server |
Any |
12300 - 12307 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12300 - 12307 |
TCP |
1 |
From redundant NFM-P auxiliary server |
|
NFM-P server |
Any |
12800 |
TCP |
1 |
-- |
|
NFM-P auxiliary server |
Any |
12800 |
TCP |
1 |
From redundant NFM-P auxiliary server |
Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).
NSP auxiliary database firewall rules
When there is a firewall at the NSP auxiliary database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Since the inter-node communication should traverse a private LAN, it is not recommended to implement a firewall on this interface.
Table 6-21: Firewall rules for traffic connecting to the NSP auxiliary database
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NSP auxiliary database |
Any |
22 |
TCP |
1 |
SFTP between clusters |
|
NFM-P server |
Any |
5433 |
TCP |
1 |
JDBC |
|
NFM-P statistics auxiliary |
Any |
5433 |
TCP |
1 |
JDBC |
|
NSP cluster |
Any |
5433 |
TCP |
1 |
JDBC |
|
NFM-P server |
Any |
7299 |
TCP |
1 |
RMI secure = true |
|
NFM-P server |
Any |
7299 - 7309 |
TCP |
1 |
RMI secure - false |
|
NSP auxiliary database |
Any |
50000 |
TCP |
1 |
Rsync between clusters |
NFM-P client and client delegate firewall rules
When there is a firewall at the client or client delegate, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-22: Firewall rules for traffic connecting to the NFM-P client and client delegate
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server |
-- |
-- |
ICMP |
3 |
Ping Client delegate only |
|
Managed Network |
Any |
20 |
TCP |
2 / 4 |
Active FTP 9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
21 |
TCP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
22 |
TCP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
Any |
162 |
UDP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
|
Managed Network |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP 9500 MPR / Wavence (NEtO) |
|
Managed Network |
5010 |
5010 |
UDP |
2 / 4 |
9500 MPR / Wavence (NEtO) |
Managed network firewall rules
When there is a firewall at the managed network, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.
Table 6-23: Firewall rules for traffic connecting to the managed network
|
Source |
Source port |
Destination port |
Protocol |
Network Interface |
Notes |
|---|---|---|---|---|---|
|
NFM-P server |
Any |
21 |
TCP |
2 / 4 |
FTP |
|
NFM-P auxiliary server |
Any |
21 |
TCP |
2 / 4 |
FTP NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
21 |
TCP |
2 / 4 |
FTP 9500 MPR / Wavence Management |
|
NFM-P server |
Any |
22 |
TCP |
2 / 4 |
SSH |
|
NFM-P auxiliary server |
Any |
22 |
TCP |
2 / 4 |
SSH NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
22 |
TCP |
2 / 4 |
SFTP 9500 MPR / Wavence Management (MSS-8/4/1) |
|
NFM-P server |
Any |
23 |
TCP |
2 / 4 |
Telnet |
|
NFM-P auxiliary server |
Any |
23 |
TCP |
2 / 4 |
Telnet NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
23 |
TCP |
2 / 4 |
Telnet 9500 MPR / Wavence Management |
|
NFM-P client |
Any |
80 |
TCP |
2 / 4 |
HTTP (GNE / Omni) |
|
NFM-P client (NEtO) |
Any |
80 |
TCP |
2 / 4 |
HTTP 9500 MPR / Wavence (MSS-8/4/1 and 9400 AWY) |
|
NFM-P server |
Any |
161 |
UDP |
2 / 4 |
SNMP |
|
NFM-P auxiliary server |
Any |
161 |
UDP |
2 / 4 |
SNMP NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
Any |
161 |
UDP |
2 / 4 |
SNMP 9500 MPR / Wavence Management |
|
NFM-P client |
Any |
443 |
TCP |
2 / 4 |
HTTPS (GNE / Omni) |
|
NFM-P server |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer |
|
NFM-P auxiliary server |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer NFM-P statistics auxiliary |
|
NFM-P client (NEtO) |
>1023 |
>1023 |
TCP |
2 / 4 |
Passive FTP transfer 9500 MPR / Wavence Management |
|
NFM-P server |
Any |
1491 |
TCP |
2 / 4 |
SNMP Streaming |
|
NFM-P server |
Any |
5001 |
TCP |
2 / 4 |
CPAA / vCPAA |
|
NFM-P client (NEtO) |
5010 |
5010 |
UDP |
2 / 4 |
SNMP 9500 MPR / Wavenece (MSS-8/4/1) |
|
NFM-P client (NEtO) |
Any |
11500 |
UDP |
2 / 4 |
Equipment View (GUI) 9500 MPR / Wavenece (MSS-1C / MPR-e) |