New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure firewall on host to open https port after installing CE #275

Open
yurem opened this Issue Mar 6, 2017 · 14 comments

Comments

Projects
None yet
4 participants
@yurem
Contributor

yurem commented Mar 6, 2017

Yuriy: is it secure to open 443 port without admin approval?
Ganesh Dutt Sharma: yes, because anyway, external firewall still needs an open port at 443.
Most of our clients are doing it.
Yuriy: I think we can do this in postinstall script. We need to give Adrian commands for each platform.
Also to inform admin we can print message to console:
"Checking if https port is open and configuring firewall rules.."

Example for Ubuntu:
sudo ufw allow https

@yurem yurem added the enhancement label Mar 6, 2017

@yurem yurem added this to the CE 3.0.2 milestone Mar 6, 2017

@adrian-gluu

This comment has been minimized.

adrian-gluu commented Mar 6, 2017

our pkgs disable IPTABLES in the host and also there is no iptables inside of the chroot

@yurem

This comment has been minimized.

Contributor

yurem commented Mar 7, 2017

I'm not sure that we can just disable all rules silently. For CE we only need to disable https

@ganesh-at-wiw

This comment has been minimized.

Contributor

ganesh-at-wiw commented Mar 7, 2017

disable?

@ganesh-at-wiw

This comment has been minimized.

Contributor

ganesh-at-wiw commented Mar 7, 2017

This will send entirely wrong signal to individual testers who just want to see the interface after installation. It'll send signals of not-working rather than a little security concern. So, at least 443 should be open.

@nynymike nynymike changed the title from Confiure fairewall on host to open https port after installing CE to Confiure firewall on host to open https port after installing CE Mar 10, 2017

@nynymike

This comment has been minimized.

Contributor

nynymike commented Mar 10, 2017

It is ridiculous to disable iptables on the host. I would say that host firewall config is up to the system admin. We should not mess with the host firewall--just document the required ports for our application.

@adrian-gluu

This comment has been minimized.

adrian-gluu commented Mar 10, 2017

your call guys i think only happens on RPM for centos7 and rhel7 because of the manner that we handle the systemd unit file
@yurem @ganesh-at-wiw @mzico @nynymike

@ganesh-at-wiw

This comment has been minimized.

Contributor

ganesh-at-wiw commented Mar 11, 2017

We should not disable iptables of host. We simply should add our one rule to allow port 443.

@yurem

This comment has been minimized.

Contributor

yurem commented Mar 12, 2017

ganesh-at-wiw commented 5 days ago

disable?
enable :), It's typo in this message. In original description I put right exaplanation

@ganesh-at-wiw

This comment has been minimized.

Contributor

ganesh-at-wiw commented Mar 12, 2017

Thanks :)

@adrian-gluu

This comment has been minimized.

adrian-gluu commented Mar 12, 2017

add a rule how? if you dont have any way to know how the customer firewall is i think we can just disable adn add notes in our doc not inside of the pkg, we cannot know every customer firewall way

@nynymike

This comment has been minimized.

Contributor

nynymike commented Mar 13, 2017

I agree. Per my previous comment, I don't think we should change the host firewall. Just make recommendations in the docs.

@adrian-gluu

This comment has been minimized.

adrian-gluu commented Mar 13, 2017

also ONLY centos7 and rhel7 packages are disabling the firewall, because systemd hack that we have there but i will remove that in our next build

@yurem

This comment has been minimized.

Contributor

yurem commented Apr 24, 2017

@adrian-gluu Can you update our admin docs. We need to explain that admin should open 443 port after installing CE

@nynymike nynymike changed the title from Confiure firewall on host to open https port after installing CE to Configure firewall on host to open https port after installing CE May 23, 2017

@yurem yurem modified the milestones: CE 3.2.0, CE 3.0.2 Aug 2, 2017

@yurem

This comment has been minimized.

Contributor

yurem commented Apr 30, 2018

Honestly speaking it's not our responsibility to change firewall rules on host.

I think we should check if port is closed and show admin warning about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment