Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible update in docs #22

Open
mariojsantos opened this issue Nov 14, 2023 · 2 comments
Open

Possible update in docs #22

mariojsantos opened this issue Nov 14, 2023 · 2 comments

Comments

@mariojsantos
Copy link

Hi.
At page https://github.com/FOGProject/fog-docs/blob/master/docs/kb/reference/network-and-firewall-requirements.md, section 2, the text suggests open the udp ports 1024 to 65535. On my tests with nftables and FOG Version 1.5.10 on Debian 11, the image deploy only worked after allow the high tcp ports. In my case I allowed the port range 49152-65535. If some other one could also test and validate that, it will be interesting add that to page afore mentioned.
Att.
@darksidemilk
Copy link
Member

I myself have never had to open any internal firewall ports. But I think I may have followed some old guidance on disabling iptables/firewall as it's an internal only resource and I lock down the external access on firewalls elsewhere.
However, this doc appears to be referencing from client to server, not the ports on the server. Or maybe it's referencing from storage nodes to server, or is it from clients to storage nodes? I just converted this one to markdown so I'm not entirely sure.

My point is, we will gladly add a working configuration to the docs. Can you give more detail on where you're unblocking those ports, perhaps an example of the rule and how to add it? And then we can link to official nftables docs for more detail.
Feel free to add it as a pull request, even just using the github web editor should be good.

We may also want to provide better detail from a security standpoint as opening that wide a range of ports is typically not the best approach.

@mariojsantos
Copy link
Author

Hi @darksidemilk. Thanks for the answer.
I apologize for the lack of context. I usually (as a good practice) implement a packet filter on all servers, even if the servers are only on the local network. The initial tests with the Fog were without any filters on the ports and all tests went without problems.

My scenario is a flat network where Fog Server and Storage are on the same VM. After testing, for the production server I setup the packet filter, in my case it was nftables, but it could be anyone else, iptables, ufw, firewalld etc. The most important thing is to know the correct port range. The range I'm referring to is item 2 - TFTP boot, on the page in question. At "from clients to storage" bullet.

I thought if the range used by the client to download the image for deploy from the TFTP server would be defined in the source code, then it would just be necessary to specify this range in the documentation. In this case, the TFTP client is a third party client, separate from the Fog client?

I will research more and perform packet captures to understand exactly the ports used in the image deploy and capture process and then open a PR.
Att.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@darksidemilk @mariojsantos