Related Tips & Info

Imaging within subnet with firewall on ZENworks Linux Primary Server enabled

MigrationDeletedUser
0 Likes

Setting up firewall on a Linux Primary Server to allow all ZENworks Imaging traffic may be tricky as some of these services use dynamic ports. This article explains the firewall configuration required on a primary server for using ZENworks Imaging services. Each service and the ports it needs are explained first. A sample configuration for a SLES 11 SP3 primary server follows. If you are using any other OS for the server you might have to adapt the rules accordingly.


Note that the rules apply to Imaging operations within the same subnet with the server and client reachable from each other in a single hop i.e. directly connected over a single switch or hub. Server and client in different networks might need additional configuration which is not covered in this article.


Ports used by ZENworks Imaging Services




  • Novell ZENworks Imaging Service
    TCP port 998 for communicating with Imaging client devices.
    TCP port 443 to fetch licensing related information.

  • Novell Proxy DHCP Daemon
    UDP port 67 when DHCP server is not running on the same device.
    UDP port 4011 if DHCP server is also running on the same device.
    Port 67 (bootps) for broadcast packets.

  • Novell TFTP Daemon
    UDP port 69 to communicate with clients.

  • Novell ZENworks Preboot Policy Daemon
    UDP port 13331 to communicate with client devices during PXE boot.
    Requires allowing packets from client devices originating from (source port) UDP port 12050.

  • Multicast Imaging Service
    Requires allowing packets from client devices originating from (source ports) UDP ports 997 and 999.


Sample configuration for SLES 11 SP3

Open /etc/sysconfig/SuSEfirewall2 and add (or append) the ports for Imaging services in the corresponding settings:



FW_SERVICES_EXT_TCP="443 998"
FW_SERVICES_EXT_UDP="67 69 4011 13331"
FW_SERVICES_ACCEPT_EXT="0/0,udp,,997 0/0,udp,,999 0/0,udp,,12050"
FW_ALLOW_FW_BROADCAST_EXT="bootps"

In iptables lingo
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 998 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4011 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 13331 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 12050 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 997 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 999 -j ACCEPT
iptables -A INPUT -p udp -m pkttype --pkt-type broadcast -m udp --dport 67 -j ACCEPT

Tags:

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.