Skip to content

Review firewall requirements #4210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 22 commits into from
Sep 18, 2025
Merged

Review firewall requirements #4210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1c5af47
Move port & firewall to Planning and review it
aneta-petrova Sep 3, 2025
d8d4888
Review port procedure
aneta-petrova Sep 4, 2025
f3dc17a
Update installing postgresql to work without firewall snippets
aneta-petrova Sep 4, 2025
880a236
Drop firewall-cmd snippet from provisioning
aneta-petrova Sep 4, 2025
5001a48
Merge modules on opening ports
aneta-petrova Sep 4, 2025
361c6ec
Rename networking sections for clarity and consistency
aneta-petrova Sep 4, 2025
27cf6d4
Tweak non-satellite topology diagram introductions
aneta-petrova Sep 4, 2025
8327116
Drop comments from preparing for capsule installation
aneta-petrova Sep 5, 2025
bc907f5
Use attribute for server
aneta-petrova Sep 5, 2025
411b8c1
Drop integrated/external proxy definitions
aneta-petrova Sep 5, 2025
f38d86a
Open ports only for default services
aneta-petrova Sep 10, 2025
18317ea
Revert "Open ports only for default services"
aneta-petrova Sep 11, 2025
63d837a
Drop note about configuration-specific ports to be opened
aneta-petrova Sep 11, 2025
f95141e
Fix URL to networking considerations
aneta-petrova Sep 17, 2025
ac2faf2
Simplify introduction
aneta-petrova Sep 17, 2025
f7c2828
Fix link
aneta-petrova Sep 17, 2025
1cb0a23
Rephrase hint about using firewall-cmd
aneta-petrova Sep 17, 2025
404bfe5
Fix link again
aneta-petrova Sep 17, 2025
3c96f12
Apply suggestions from style review
aneta-petrova Sep 18, 2025
b5ac66f
Replace SmartProxy with SmartProxyServer
aneta-petrova Sep 18, 2025
92b73b5
Reword description of a smart proxy networking setup
aneta-petrova Sep 18, 2025
7a35aa1
Drop obsolete information on outgoing traffic
aneta-petrova Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions guides/common/assembly_major-project-components.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,4 @@ include::modules/ref_list-of-key-open-source-components-of-foreman.adoc[leveloff

include::modules/con_smartproxy-features.adoc[leveloffset=+1]

include::modules/con_smartproxy-networking.adoc[leveloffset=+1]

include::modules/con_major-project-components-additional-resources.adoc[leveloffset=+1]
7 changes: 7 additions & 0 deletions guides/common/assembly_networking-considerations-in-project.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
include::modules/con_networking-considerations-in-project.adoc[]

include::modules/con_smart-proxy-networking.adoc[leveloffset=+1]

include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1]

include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]
2 changes: 0 additions & 2 deletions guides/common/assembly_planning-project-server-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ ifdef::katello,orcharhino,satellite[]
include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
endif::[]

include::modules/ref_port-and-firewall-requirements.adoc[leveloffset=+1]

ifeval::["{mode}" == "connected"]
include::modules/ref_ipv6-and-ipv4-requirements.adoc[leveloffset=+1]
endif::[]
Expand Down
8 changes: 1 addition & 7 deletions guides/common/assembly_preparing-environment-for-capsule-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,15 @@ Review the following prerequisites before you install {SmartProxyServer}.

include::modules/ref_operating-system-requirements.adoc[leveloffset=+1]

// System Requirements
include::modules/ref_system-requirements.adoc[leveloffset=+1]

ifdef::katello,satellite[]
// Storage requirements
include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1]

include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
endif::[]

// Port and Firewall Requirements
include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]

// Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer}
include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1]
include::modules/proc_opening-required-ports.adoc[leveloffset=+1]

ifdef::parent-context[:context: {parent-context}]
ifndef::parent-context[:!context:]
2 changes: 1 addition & 1 deletion guides/common/assembly_preparing-environment-for-project-server-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

include::modules/con_preparing-environment-for-project-server-installation.adoc[]

include::modules/proc_enabling-client-connections-to-project-server.adoc[leveloffset=+1]
include::modules/proc_opening-required-ports.adoc[leveloffset=+1]

include::modules/proc_verifying-dns-resolution.adoc[leveloffset=+1]

Expand Down
2 changes: 1 addition & 1 deletion guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re
For HTTP booting to work, ensure that your environment has the following client-side configurations:

* All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].
* Your client has access to the DHCP and DNS servers.
* Your client has access to the HTTP UEFI Boot {SmartProxy}.

Expand Down
2 changes: 1 addition & 1 deletion guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you
* Ensure that your client has access to the DHCP and DNS servers.
* Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}.
* Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].

.Network requirements
* An unmanaged DHCP server available for clients.
Expand Down
4 changes: 4 additions & 0 deletions guides/common/modules/con_networking-considerations-in-project.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[id="networking-considerations-in-{project-context}"]
= Networking considerations in {Project}

For the components of {Project} architecture to communicate, the required network ports must be open to enable incoming and outgoing traffic between the components.
2 changes: 1 addition & 1 deletion guides/common/modules/con_pxe-booting-requirements.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ

.Client requirements
* Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].

* Ensure that your client has access to the DHCP and TFTP servers.

Expand Down
37 changes: 37 additions & 0 deletions guides/common/modules/con_smart-proxy-networking.adoc
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this chapter we run into the naming problem: Capsule in downstream is IMHO something quite different than a Smart Proxy.

My interpretation:

  • Smart Proxy: the generic concept that Foreman connects to
  • Foreman Proxy: the Ruby implementation of Smart Proxy
  • Capsule: The downstream naming for a server that has a few services: Foreman Proxy, Pulp, Apache (for the RHSM registration API). Upstream we sometimes refer to this as Content Proxies: a Proxy with a set of content features.

Now looking ahead we're going to make this a bigger problem. The Insights on Premise is also recognized as a Smart Proxy. Then with pulp_smart_proxy the Pulp server can identify as a Smart Proxy.

In other words: I think soon we need to have the discussion within Red Hat: where do we want to go with this. Do we stop branding Smart Proxy as Capsule?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is actionable right now but it's interesting information so I'll keep this thread open for awareness.

Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
[id="{smart-proxy-context}-networking"]
= {SmartProxy} networking

The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}.
{SmartProxyServer} also provides {Project} services to hosts.

ifndef::satellite[]
In a topology with hosts connecting to a {SmartProxyServer},
endif::[]
ifdef::satellite[]
In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[],
endif::[]
{SmartProxyServer} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxyServer} itself must be open.
Hosts do not need direct access to {ProjectServer}.

// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
ifdef::satellite[]
[id="{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}"]
.{Project} topology with hosts connecting to a {SmartProxy}
image::common/topology-isolated-satellite.png[{ProjectName} topology with a host]
endif::[]

ifndef::satellite[]
In a topology with hosts connecting directly to {ProjectServer},
endif::[]
ifdef::satellite[]
In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[],
endif::[]
hosts need direct network access to {ProjectServer}.
This applies to all {SmartProxyServers} because they are hosts of {ProjectServer}.

// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
ifdef::satellite[]
[id="{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server"]
.{Project} topology with hosts connecting directly to {ProjectServer}
image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host]
endif::[]
36 changes: 0 additions & 36 deletions guides/common/modules/con_smartproxy-networking.adoc
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion guides/common/modules/proc_configuring-capsule-default-certificate.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ endif::[]
* {SmartProxyServer} packages are installed.
For more information, see xref:installing-{smart-proxy-context}-server-packages[].
* The required ports are open.
For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[].
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].

.Procedure

Expand Down
2 changes: 1 addition & 1 deletion ...mmon/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ For more information, see xref:Registering_Proxy_to_Server_{smart-proxy-context}
* {SmartProxyServer} packages are installed.
For more information, see xref:installing-{smart-proxy-context}-server-packages[].
* The required ports are open.
For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[].
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].

.Procedure
. On your {ProjectServer}, generate a certificate bundle:
Expand Down
41 changes: 0 additions & 41 deletions guides/common/modules/proc_enabling-client-connections-to-project-server.adoc
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions guides/common/modules/proc_enabling-connections-to-capsule.adoc
View file
Open in desktop

This file was deleted.

13 changes: 9 additions & 4 deletions guides/common/modules/proc_installing-postgresql.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ ifndef::foreman-deb[]
{Project} supports PostgreSQL version 13.
endif::[]

include::snip_firewalld.adoc[]

.Prerequisites
* The prepared host has base operating system repositories enabled.
* The prepared host has sufficient disk space available for the `{postgresql-lib-dir}` directory.
Expand Down Expand Up @@ -85,13 +83,20 @@ password_encryption=scram-sha-256
----
# systemctl enable --now postgresql
----
. Open the *postgresql* port:
. Update the firewall configuration.
For example, using the `firewall-cmd` command:
.. Open the *postgresql* port:
+
[options="nowrap" subs="verbatim,quotes"]
----
# firewall-cmd --add-service=postgresql
----
include::snip_make-firewall-settings-persistent.adoc[]
.. Make the changes persistent:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# firewall-cmd --runtime-to-permanent
----
. Switch to the `postgres` user and start the PostgreSQL client:
+
[options="nowrap" subs="verbatim,quotes"]
Expand Down
83 changes: 83 additions & 0 deletions guides/common/modules/proc_opening-required-ports.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
:_mod-docs-content-type: PROCEDURE

[id="opening-required-ports"]
= Opening required ports

By opening the required ports, you ensure that the components of {Project} architecture can communicate.
You must also ensure that the required network ports are open on any network-based firewalls.

[NOTE]
====
Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls.
If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall.
If possible, disable the application checking and allow open port communication based on the protocol.
====

ifndef::satellite,orcharhino[]
If you do not use `firewall-cmd` to configure the Linux firewall, implement using the tool of your choice.
endif::[]

.Procedure
. If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging:
+
[options="nowrap", subs="+quotes,attributes"]
----
# {foreman-installer} --foreman-proxy-dhcp-ping-free-ip false
----
+
By default, a DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.
ifdef::katello,satellite,orcharhino[]
ifeval::["{context}" == "{project-context}"]
. Open the ports for clients on {ProjectServer}:
endif::[]
ifeval::["{context}" == "{smart-proxy-context}"]
. Open the ports for clients on {SmartProxyServer}:
endif::[]
+
[options="nowrap"]
----
# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"
----
endif::[]
ifeval::["{context}" == "{project-context}"]
. Allow access to services on {ProjectServer}:
endif::[]
ifeval::["{context}" == "{smart-proxy-context}"]
. Allow access to services on {SmartProxyServer}:
endif::[]
+
[options="nowrap"]
----
# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
ifndef::katello,satellite,orcharhino[]
--add-service=foreman-proxy \
endif::[]
--add-service=puppetmaster
----
. Make the changes persistent:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# firewall-cmd --runtime-to-permanent
----

.Verification
* View all firewall zones and allowed services:
+
[options="nowrap"]
----
# firewall-cmd --list-all
----

.Additional resources
* {PlanningDocURL}networking-considerations-in-{project-context}[Networking considerations in {Project}]
ifndef::foreman-deb[]
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_]
endif::[]
7 changes: 6 additions & 1 deletion guides/common/modules/proc_registering-capsule-to-satellite-server.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ For more information on manifests and repositories, see {ContentManagementDocURL
** Ensure HTTPS connection using client certificate authentication is possible between {SmartProxyServer} and {ProjectServer}.
HTTP proxies between {SmartProxyServer} and {ProjectServer} are not supported.
** You must configure the host and network-based firewalls accordingly.
For more information, see {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Port and firewall requirements] in _{InstallingSmartProxyDocTitle}_.
ifeval::["{context}" == "load-balancing"]
For more information, see {InstallingSmartProxyDocURL}opening-required-ports[Opening required ports in _{InstallingSmartProxyDocTitle}_].
endif::[]
ifeval::["{context}" == "installing-capsule-server"]
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].
endif::[]

include::snip_host-registration-steps.adoc[]
Loading
Loading