Additional NSP component firewall and NAT rules

Overview

Firewall rules are applied to the incoming network interface traffic. As a rule, firewall rules are not applied to the outgoing network interface traffic.

For installations using RHEL as the Operating System, the RHEL supplied firewall can be used to filter network traffic using filter rules lists. Only experienced system administrators with extensive knowledge of the RHEL firewall should attempt to implement the filter rules lists provided with each component. All others should disable the RHEL firewall.

The installation of each component will include the filter rules lists to be applied for successful communication between different NSP components, XML API clients, and network elements. The table below defines the location

Table 6-17: Sample firewalld filter rules lists file locations

Component

Protocol

File location

NFM-P server

IPv4/IPv6

/opt/nsp/nfmp/server/nms/sample/firewall/

NFM-P database

IPv4/IPv6

/opt/nsp/nfmp/db/install/sample/firewall/

NFM-P Statistics auxiliary

IPv4/IPv6

/opt/nsp/nfmp/auxserver/nms/sample/firewall/

NSP auxiliary database

IPv4

/opt/nsp/nfmp/auxdb/install/config/sample/firewall/

NFM-P client

IPv4/IPv6

<base client install dir>/nms/sample/firewall/

NFM-P client delegate server

IPv4/IPv6

<base client install dir>/nms/sample/firewall/

It is imperative that all rules are considered completely for the NSP systems to inter-operate correctly. The following tables will define the connection details. Within the section there will be a number of conditions that indicate whether or not that particular table or connection needs to be applied.

See NFM-P Network Address Translation for supported NAT configurations.

NFM-P server firewall and NAT rules

When there is a firewall at the NFM-P server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces

Table 6-18: Firewall rules for traffic connecting to the NFM-P server

Source

Source port

Destination port

Protocol

Network Interface

Notes

NFM-P server (public address)

Any

21

TCP

3

Connection to NFM-P server private address (if NAT in use)

XML API client

Any

21

TCP

3

If FTP is required

NSP cluster

Any

21

TCP

1

If FTP is used

NFM-P server

Any

22

TCP

1

From the redundant NFM-P server

XML API client

Any

22

TCP

3

If SCP / SFTP is required

NSP cluster

Any

22

TCP

1

If SCP / SFTP is used

9500 MPR / Wavence

Any

22

TCP

2 / 4

NE backups

NFM-P GUI client

Any

443

TCP

3

HTTPS

Managed Network

Any

162

UDP

2 / 4

SNMP trap initiated from the NE

Managed Network

Any

--

ICMP

2 / 4

Ping policy

1830 SMS HSM Server

5552

758

TCP

2 / 4

nlogin

NFM-P server (public address)

>1023

>1023

TCP

3

Connection to NFM-P server private address (if NAT in use)

NFM-P GUI client / XML API client

Any

1097

TCP

3

JMS

NFM-P auxiliary server

Any

1097

TCP

1

JMS

NFM-P server

Any

1099

TCP

1

From the redundant NFM-P server

NFM-P GUI client / XML API client

Any

1099

TCP

3

JNDI

NFM-P auxiliary server

Any

1099

TCP

1

JNDI

NSP cluster

Any

1099

TCP

1

JNDI

NFM-P GUI client / XML API client

Any

4447

TCP

3

JMS

NFM-P auxiliary server

Any

4447

TCP

1

JMS

NFM-P server

Any

7879

TCP

1

From the redundant NFM-P server

NSP cluster

Any

7879

TCP

1

CPROTO

XML API client

Any

8080

TCP

3

HTTP

NSP cluster

Any

8080

TCP

1

HTTP

NFM-P GUI client

Any

8085

TCP

3

HTTP

NFM-P server

Any

8087

TCP

1

From the redundant NFM-P server

NFM-P GUI client

Any

8087

TCP

3

HTTP(S)

NFM-P GUI client

Any

8089

TCP

3

HTTP(S)

NSP

Any

8097

TCP

1

From NSP

XML API client

Any

8443

TCP

3

HTTPS

NSP cluster

Any

8443

TCP

1

HTTPS

NFM-P GUI client

Any

8444

TCP

3

HTTPS

NFM-P server

Any

8543

TCP

1

From the redundant NFM-P server

NFM-P GUI client / Web client

Any

8543

TCP

3

HTTPS

NFM-P server

Any

9010

TCP

1

From the redundant NFM-P server

NSP Cluster

Any

9100

TCP

1

Node-exporter

Web client

Any

9443

TCP

3

Swagger interface for HSM

NFM-P server

Any

10290

TCP

1

From the redundant NFM-P server

NFM-P server

Any

11800

TCP

1

From the redundant NFM-P server

NFM-P server

Any

12010

TCP

1

From the redundant NFM-P server

NFM-P server

Any

12300-12307

TCP

1

From the redundant NFM-P server

NFM-P auxiliary server

Any

12300-12307

TCP

1

--

NFM-P auxiliary server

Any

12800

TCP

1

--

Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).

NFM-P database firewall

When there is a firewall at the NFM-P database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces)/

Table 6-19: Firewall rules for traffic connecting to the NFM-P database

Source

Source port

Destination port

Protocol

Network Interface

Notes

NFM-P database

Any

22

TCP

1

NFM-P server

Any

1523

TCP

1

NFM-P database

Any

1523

TCP

1

From the redundant NFM-P database

NFM-P auxiliary server

Any

1523

TCP

1

NSP server

Any

1523

TCP

1

NFM-P server

Any

9002

TCP

1

NFM-P database

9002

9002

TCP

1

From the redundant NFM-P database

NFM-P auxiliary server

Any

9002

TCP

1

NFM-P server

Any

9003

TCP

1

NFM-P database

9003

9003

TCP

1

From redundant NFM-P database

NFM-P auxiliary server

Any

9003

TCP

1

NFM-P auxiliary server firewall and NAT rules

When there is a firewall at the NFM-P auxiliary server, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.

Table 6-20: Firewall rules for traffic connecting to the NFM-P auxiliary server

Source

Source port

Destination port

Protocol

Network Interface

Notes

NFM-P auxiliary server public address

Any

21

TCP

3

Connect to NFM-P auxiliary server private address (for NAT) If FTP is required

XML-API Client

Any

21

TCP

3

If FTP is required

XML-API Client

Any

22

TCP

3

If SFTP is required

NFM-P auxiliary server

Any

22

TCP

1

From redundant NFM-P auxiliary server

NFM-P auxiliary server public address

>1023

>1023

TCP

3

Connect to NFM-P auxiliary server private address (for NAT) If FTP is required

NFM-P auxiliary server

Any

1095

TCP

1

From redundant NFM-P auxiliary server

NSP Cluster

Any

9100

TCP

1

Node-exporter

NFM-P server

Any

12300 - 12307

TCP

1

--

NFM-P auxiliary server

Any

12300 - 12307

TCP

1

From redundant NFM-P auxiliary server

NFM-P server

Any

12800

TCP

1

--

NFM-P auxiliary server

Any

12800

TCP

1

From redundant NFM-P auxiliary server

Note: Due to the size of SNMP packets, IP fragmentation may occur in the network. Ensure the firewall will allow fragmented packets to reach the server(s).

NSP auxiliary database firewall rules

When there is a firewall at the NSP auxiliary database, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.

Since the inter-node communication should traverse a private LAN, it is not recommended to implement a firewall on this interface.

Table 6-21: Firewall rules for traffic connecting to the NSP auxiliary database

Source

Source port

Destination port

Protocol

Network Interface

Notes

NSP auxiliary database

Any

22

TCP

1

SFTP between clusters

NFM-P server

Any

5433

TCP

1

JDBC

NFM-P statistics auxiliary

Any

5433

TCP

1

JDBC

NSP cluster

Any

5433

TCP

1

JDBC

NFM-P server

Any

7299

TCP

1

RMI

secure = true

NFM-P server

Any

7299 - 7309

TCP

1

RMI

secure - false

NSP auxiliary database

Any

50000

TCP

1

Rsync between clusters

NFM-P client and client delegate firewall rules

When there is a firewall at the client or client delegate, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.

Table 6-22: Firewall rules for traffic connecting to the NFM-P client and client delegate

Source

Source port

Destination port

Protocol

Network Interface

Notes

NFM-P server

--

--

ICMP

3

Ping

Client delegate only

Managed Network

Any

20

TCP

2 / 4

Active FTP

9500 MPR / Wavence (NEtO)

Managed Network

Any

21

TCP

2 / 4

9500 MPR / Wavence (NEtO)

Managed Network

Any

22

TCP

2 / 4

9500 MPR / Wavence (NEtO)

Managed Network

Any

162

UDP

2 / 4

9500 MPR / Wavence (NEtO)

Managed Network

>1023

>1023

TCP

2 / 4

Passive FTP

9500 MPR / Wavence (NEtO)

Managed Network

5010

5010

UDP

2 / 4

9500 MPR / Wavence (NEtO)

Managed network firewall rules

When there is a firewall at the managed network, the following initiating connection details must be considered. Network Interface number is in reference to Figure 7-3, Distributed NFM-P server/database deployment with multiple network interfaces.

Table 6-23: Firewall rules for traffic connecting to the managed network

Source

Source port

Destination port

Protocol

Network Interface

Notes

NFM-P server

Any

21

TCP

2 / 4

FTP

NFM-P auxiliary server

Any

21

TCP

2 / 4

FTP

NFM-P statistics auxiliary

NFM-P client (NEtO)

Any

21

TCP

2 / 4

FTP

9500 MPR / Wavence Management

NFM-P server

Any

22

TCP

2 / 4

SSH

NFM-P auxiliary server

Any

22

TCP

2 / 4

SSH

NFM-P statistics auxiliary

NFM-P client (NEtO)

Any

22

TCP

2 / 4

SFTP

9500 MPR / Wavence Management (MSS-8/4/1)

NFM-P server

Any

23

TCP

2 / 4

Telnet

NFM-P auxiliary server

Any

23

TCP

2 / 4

Telnet

NFM-P statistics auxiliary

NFM-P client (NEtO)

Any

23

TCP

2 / 4

Telnet

9500 MPR / Wavence Management

NFM-P client

Any

80

TCP

2 / 4

HTTP (GNE / Omni)

NFM-P client (NEtO)

Any

80

TCP

2 / 4

HTTP

9500 MPR / Wavence (MSS-8/4/1 and 9400 AWY)

NFM-P server

Any

161

UDP

2 / 4

SNMP

NFM-P auxiliary server

Any

161

UDP

2 / 4

SNMP

NFM-P statistics auxiliary

NFM-P client (NEtO)

Any

161

UDP

2 / 4

SNMP

9500 MPR / Wavence Management

NFM-P client

Any

443

TCP

2 / 4

HTTPS (GNE / Omni)

NFM-P server

>1023

>1023

TCP

2 / 4

Passive FTP transfer

NFM-P auxiliary server

>1023

>1023

TCP

2 / 4

Passive FTP transfer

NFM-P statistics auxiliary

NFM-P client (NEtO)

>1023

>1023

TCP

2 / 4

Passive FTP transfer

9500 MPR / Wavence Management

NFM-P server

Any

1491

TCP

2 / 4

SNMP Streaming

NFM-P server

Any

5001

TCP

2 / 4

CPAA / vCPAA

NFM-P client (NEtO)

5010

5010

UDP

2 / 4

SNMP

9500 MPR / Wavenece (MSS-8/4/1)

NFM-P client (NEtO)

Any

11500

UDP

2 / 4

Equipment View (GUI)

9500 MPR / Wavenece (MSS-1C / MPR-e)