Idea ID: 2785944

Firewall settings for reverse proxy and other scenarios need to be enhanced and allow only specify source addresses

Status : Waiting for Votes
Waiting for Votes
See status update history
over 5 years ago
In case of reverse proxy scenarios / ssl offload scenarios it is useful to block any access to filr ports from other source addresses than from the reverse proxy.
(do not allow to access clear text port 80/8080 from other sources than from the reverse proxy addresses)
This is not possible in an officially supported way.

Same requirement for firewall security is true for memcache, lucene, mysql ports...

Memcache, lucene and mysql should only be reachable from the ip addresses of the filr frontends!

The firewall configuration on :9443 should allow detailed configuration from which source address access to which port should be allowed. The default should be specified for the internal filr communication processes only.

On some of the latest deployments we have also realized that port 7777 is configured to be open in "/etc/sysconfig/SuSEfirewall2" but it is not listed in the firewall configuration at :9443 and it is also not documented.

Benefit: higher security.

Labels:

Administration