Skip to content

Review firewall requirements #4210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 22 commits into from
Sep 18, 2025
Merged

Review firewall requirements #4210

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1c5af47
Move port & firewall to Planning and review it
aneta-petrova Sep 3, 2025
d8d4888
Review port procedure
aneta-petrova Sep 4, 2025
f3dc17a
Update installing postgresql to work without firewall snippets
aneta-petrova Sep 4, 2025
880a236
Drop firewall-cmd snippet from provisioning
aneta-petrova Sep 4, 2025
5001a48
Merge modules on opening ports
aneta-petrova Sep 4, 2025
361c6ec
Rename networking sections for clarity and consistency
aneta-petrova Sep 4, 2025
27cf6d4
Tweak non-satellite topology diagram introductions
aneta-petrova Sep 4, 2025
8327116
Drop comments from preparing for capsule installation
aneta-petrova Sep 5, 2025
bc907f5
Use attribute for server
aneta-petrova Sep 5, 2025
411b8c1
Drop integrated/external proxy definitions
aneta-petrova Sep 5, 2025
f38d86a
Open ports only for default services
aneta-petrova Sep 10, 2025
18317ea
Revert "Open ports only for default services"
aneta-petrova Sep 11, 2025
63d837a
Drop note about configuration-specific ports to be opened
aneta-petrova Sep 11, 2025
f95141e
Fix URL to networking considerations
aneta-petrova Sep 17, 2025
ac2faf2
Simplify introduction
aneta-petrova Sep 17, 2025
f7c2828
Fix link
aneta-petrova Sep 17, 2025
1cb0a23
Rephrase hint about using firewall-cmd
aneta-petrova Sep 17, 2025
404bfe5
Fix link again
aneta-petrova Sep 17, 2025
3c96f12
Apply suggestions from style review
aneta-petrova Sep 18, 2025
b5ac66f
Replace SmartProxy with SmartProxyServer
aneta-petrova Sep 18, 2025
92b73b5
Reword description of a smart proxy networking setup
aneta-petrova Sep 18, 2025
7a35aa1
Drop obsolete information on outgoing traffic
aneta-petrova Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions guides/common/assembly_major-project-components.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,4 @@ include::modules/ref_list-of-key-open-source-components-of-foreman.adoc[leveloff

include::modules/con_smartproxy-features.adoc[leveloffset=+1]

include::modules/con_smartproxy-networking.adoc[leveloffset=+1]

include::modules/con_major-project-components-additional-resources.adoc[leveloffset=+1]
7 changes: 7 additions & 0 deletions guides/common/assembly_networking-considerations-in-project.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
include::modules/con_networking-considerations-in-project.adoc[]

include::modules/con_smart-proxy-networking.adoc[leveloffset=+1]

include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1]

include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]
2 changes: 0 additions & 2 deletions guides/common/assembly_planning-project-server-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ ifdef::katello,orcharhino,satellite[]
include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
endif::[]

include::modules/ref_port-and-firewall-requirements.adoc[leveloffset=+1]

ifeval::["{mode}" == "connected"]
include::modules/ref_ipv6-and-ipv4-requirements.adoc[leveloffset=+1]
endif::[]
Expand Down
8 changes: 1 addition & 7 deletions guides/common/assembly_preparing-environment-for-capsule-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,15 @@ Review the following prerequisites before you install {SmartProxyServer}.

include::modules/ref_operating-system-requirements.adoc[leveloffset=+1]

// System Requirements
include::modules/ref_system-requirements.adoc[leveloffset=+1]

ifdef::katello,satellite[]
// Storage requirements
include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1]

include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
endif::[]

// Port and Firewall Requirements
include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]

// Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer}
include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1]
include::modules/proc_opening-required-ports.adoc[leveloffset=+1]

ifdef::parent-context[:context: {parent-context}]
ifndef::parent-context[:!context:]
2 changes: 1 addition & 1 deletion guides/common/assembly_preparing-environment-for-project-server-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

include::modules/con_preparing-environment-for-project-server-installation.adoc[]

include::modules/proc_enabling-client-connections-to-project-server.adoc[leveloffset=+1]
include::modules/proc_opening-required-ports.adoc[leveloffset=+1]

include::modules/proc_verifying-dns-resolution.adoc[leveloffset=+1]

Expand Down
2 changes: 1 addition & 1 deletion guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re
For HTTP booting to work, ensure that your environment has the following client-side configurations:

* All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].
* Your client has access to the DHCP and DNS servers.
* Your client has access to the HTTP UEFI Boot {SmartProxy}.

Expand Down
2 changes: 1 addition & 1 deletion guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you
* Ensure that your client has access to the DHCP and DNS servers.
* Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}.
* Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].

.Network requirements
* An unmanaged DHCP server available for clients.
Expand Down
4 changes: 4 additions & 0 deletions guides/common/modules/con_networking-considerations-in-project.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[id="networking-considerations-in-{project-context}"]
= Networking considerations in {Project}

For the components of {Project} architecture to communicate, the required network ports must be open and free to enable incoming and outgoing traffic between the components.
2 changes: 1 addition & 1 deletion guides/common/modules/con_pxe-booting-requirements.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ

.Client requirements
* Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].

* Ensure that your client has access to the DHCP and TFTP servers.

Expand Down
43 changes: 43 additions & 0 deletions guides/common/modules/con_smart-proxy-networking.adoc
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this chapter we run into the naming problem: Capsule in downstream is IMHO something quite different than a Smart Proxy.

My interpretation:

  • Smart Proxy: the generic concept that Foreman connects to
  • Foreman Proxy: the Ruby implementation of Smart Proxy
  • Capsule: The downstream naming for a server that has a few services: Foreman Proxy, Pulp, Apache (for the RHSM registration API). Upstream we sometimes refer to this as Content Proxies: a Proxy with a set of content features.

Now looking ahead we're going to make this a bigger problem. The Insights on Premise is also recognized as a Smart Proxy. Then with pulp_smart_proxy the Pulp server can identify as a Smart Proxy.

In other words: I think soon we need to have the discussion within Red Hat: where do we want to go with this. Do we stop branding Smart Proxy as Capsule?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is actionable right now but it's interesting information so I'll keep this thread open for awareness.

Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
[id="{smart-proxy-context}-networking"]
= {SmartProxy} networking

The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}.
{SmartProxyServer} also provides {Project} services to hosts.

[NOTE]
====
Some outgoing traffic returns to {Project} to enable internal communication and security operations.
====

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite understand this & it seems rather confusing. "some" sounds bad and unspecific from a security perspective. Does this admonition add any value to users? I am leaning towards no.

Suggested change
[NOTE]
====
Some outgoing traffic returns to {Project} to enable internal communication and security operations.
====

Was this part of the docs before? If so, feel free to ignore my comment/move this to an GH issue.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to resolve this here so that we're sure the reviewed requirements are okay. @evgeni can you shed some light on this? Can we perhaps specify the note? Or is it safe to drop it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it was added in #2451 and is frankly a tad confusing.
So strap on your best glasses, we're using a Tardis!

The bug that #2451 was trying to fix (https://bugzilla.redhat.com/show_bug.cgi?id=2233266) was reported against Satellite 6.13, and we look at https://docs.redhat.com/en/documentation/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite we see the following entries with "Satellite" as the destination:

Destination Port Protocol Service Destination Required For Description
443 TCP HTTPS Satellite Capsule Capsule, Configuration management, Template retrieval, OpenSCAP, Remote Execution result upload
5646 TCP AMQP Satellite Server Katello agent Forward message to Qpid dispatch router on Capsule (optional)
5671 Satellite Server Remote install for Katello agent Send install command to client
5671 Satellite Server Remote install for Katello agent Forward message to dispatch router on Satellite

(Yes, protocol and service are missing for the last two lines, yes "Satellite" vs "Satellite Server" is inconsistent, have a 🍷 for me please)

Now, it is true that the way Katello agent communication was set up, the Germans would call "from behind, through the chest, into the eye" (Sorry Anet, if you don't have a visual picture of the pain, I either owe you one, or you can count yourself lucky, or both).

Luckily for us, today, stepped out of the Tardis again: Katello agent is a sin of the past and we don't have to care about it anymore and can solely focus on the one remaining entry in todays docs:

Destination Port Protocol Service Destination Required For Description
443 TCP HTTPS Satellite Capsule Capsule, Configuration management, Template retrieval, OpenSCAP, Remote Execution result upload

And the great thing? It's nonsense! I mean, yeah, the external Capsule needs to be able to talk to the Satellite on port 443 (and others!) but that should be covered by "{Project} incoming traffic" and "{SmartProxy} outgoing traffic" and never be part of "{Project} outgoing traffic"

So, my verdict is:

  • drop that note
  • drop line 65-73 of guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc (| 443 | TCP | HTTPS | {Project} | {SmartProxy} | {SmartProxy} … )

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was quite the suspenseful read. I wish more comments were like this.

Also, it really helps that you summarized it at the end to tell me what it is that I'm supposed to do 😆 So I removed both the note and the row.

ifndef::satellite[]
In a topology with hosts connecting to a {SmartProxyServer},
endif::[]
ifdef::satellite[]
In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[],
endif::[]
{SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open.
Hosts do not need direct access to the {ProjectServer} itself.

// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
ifdef::satellite[]
[id="{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}"]
.{Project} topology with hosts connecting to a {SmartProxy}
image::common/topology-isolated-satellite.png[{ProjectName} topology with a host]
endif::[]

ifndef::satellite[]
In a topology with hosts connecting directly to {ProjectServer},
endif::[]
ifdef::satellite[]
In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[],
endif::[]
hosts connect to {ProjectServer} rather than a {SmartProxy}.
This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}.
Hosts need direct network access to {ProjectServer}.

// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
ifdef::satellite[]
[id="{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server"]
.{Project} topology with hosts connecting directly to {ProjectServer}
image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host]
endif::[]
36 changes: 0 additions & 36 deletions guides/common/modules/con_smartproxy-networking.adoc
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion guides/common/modules/proc_configuring-capsule-default-certificate.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ endif::[]
* {SmartProxyServer} packages are installed.
For more information, see xref:installing-{smart-proxy-context}-server-packages[].
* The required ports are open.
For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[].
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].

.Procedure

Expand Down
2 changes: 1 addition & 1 deletion ...mmon/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ For more information, see xref:Registering_Proxy_to_Server_{smart-proxy-context}
* {SmartProxyServer} packages are installed.
For more information, see xref:installing-{smart-proxy-context}-server-packages[].
* The required ports are open.
For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[].
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].

.Procedure
. On your {ProjectServer}, generate a certificate bundle:
Expand Down
41 changes: 0 additions & 41 deletions guides/common/modules/proc_enabling-client-connections-to-project-server.adoc
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions guides/common/modules/proc_enabling-connections-to-capsule.adoc
View file
Open in desktop

This file was deleted.

13 changes: 9 additions & 4 deletions guides/common/modules/proc_installing-postgresql.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ ifndef::foreman-deb[]
{Project} supports PostgreSQL version 13.
endif::[]

include::snip_firewalld.adoc[]

.Prerequisites
* The prepared host has base operating system repositories enabled.
* The prepared host has sufficient disk space available for the `{postgresql-lib-dir}` directory.
Expand Down Expand Up @@ -85,13 +83,20 @@ password_encryption=scram-sha-256
----
# systemctl enable --now postgresql
----
. Open the *postgresql* port:
. Update the firewall configuration.
For example, using the `firewall-cmd` command:
.. Open the *postgresql* port:
+
[options="nowrap" subs="verbatim,quotes"]
----
# firewall-cmd --add-service=postgresql
----
include::snip_make-firewall-settings-persistent.adoc[]
.. Make the changes persistent:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# firewall-cmd --runtime-to-permanent
----
. Switch to the `postgres` user and start the PostgreSQL client:
+
[options="nowrap" subs="verbatim,quotes"]
Expand Down
83 changes: 83 additions & 0 deletions guides/common/modules/proc_opening-required-ports.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
:_mod-docs-content-type: PROCEDURE

[id="opening-required-ports"]
= Opening required ports

For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system.
You must also ensure that the required network ports are open on any network-based firewalls.

[NOTE]
====
Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls.
If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall.
If possible, disable the application checking and allow open port communication based on the protocol.
====

ifndef::satellite,orcharhino[]
If you do not use `firewall-cmd` to configure the Linux firewall, implement using the command of your choice.
endif::[]

.Procedure
. Optional: If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging:
+
[options="nowrap", subs="+quotes,attributes"]
----
# {foreman-installer} --foreman-proxy-dhcp-ping-free-ip false
----
+
By default, a DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.
ifdef::katello,satellite,orcharhino[]
ifeval::["{context}" == "{project-context}"]
. Open the ports for clients on {ProjectServer}:
endif::[]
ifeval::["{context}" == "{smart-proxy-context}"]
. Open the ports for clients on {SmartProxyServer}:
endif::[]
+
[options="nowrap"]
----
# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"
----
endif::[]
ifeval::["{context}" == "{project-context}"]
. Allow access to services on {ProjectServer}:
endif::[]
ifeval::["{context}" == "{smart-proxy-context}"]
. Allow access to services on {SmartProxyServer}:
endif::[]
+
[options="nowrap"]
----
# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
ifndef::katello,satellite,orcharhino[]
--add-service=foreman-proxy \
endif::[]
--add-service=puppetmaster
----
. Make the changes persistent:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# firewall-cmd --runtime-to-permanent
----

.Verification
* Enter the following command:
+
[options="nowrap"]
----
# firewall-cmd --list-all
----

.Additional resources
* {PlanningDocURL}networking-considerations-in-a-{project-context}-deployment[Networking considerations in a {Project} deployment]
ifndef::foreman-deb[]
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_]
endif::[]
7 changes: 6 additions & 1 deletion guides/common/modules/proc_registering-capsule-to-satellite-server.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ For more information on manifests and repositories, see {ContentManagementDocURL
** Ensure HTTPS connection using client certificate authentication is possible between {SmartProxyServer} and {ProjectServer}.
HTTP proxies between {SmartProxyServer} and {ProjectServer} are not supported.
** You must configure the host and network-based firewalls accordingly.
For more information, see {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Port and firewall requirements] in _{InstallingSmartProxyDocTitle}_.
ifeval::["{context}" == "load-balancing"]
For more information, see {InstallingSmartProxyDocURL}opening-required-ports[Opening required ports in _{InstallingSmartProxyDocTitle}_].
endif::[]
ifeval::["{context}" == "installing-capsule-server"]
For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[].
endif::[]

include::snip_host-registration-steps.adoc[]
Loading
Loading