Firewall settings for reverse proxy and other scenarios need to be enhanced and allow only specify source addresses

Idea ID 2785944

Firewall settings for reverse proxy and other scenarios need to be enhanced and allow only specify source addresses

In case of reverse proxy scenarios / ssl offload scenarios it is useful to block any access to filr ports from other source addresses than from the reverse proxy.
(do not allow to access clear text port 80/8080 from other sources than from the reverse proxy addresses)
This is not possible in an officially supported way.

Same requirement for firewall security is true for memcache, lucene, mysql ports...

Memcache, lucene and mysql should only be reachable from the ip addresses of the filr frontends!

The firewall configuration on :9443 should allow detailed configuration from which source address access to which port should be allowed. The default should be specified for the internal filr communication processes only.

On some of the latest deployments we have also realized that port 7777 is configured to be open in "/etc/sysconfig/SuSEfirewall2" but it is not listed in the firewall configuration at :9443 and it is also not documented.

Benefit: higher security.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.