Default Firewall RulesΒΆ

StarlingX applies default firewall rules on the OAM network. The default rules are recommended for most applications.

Traffic is permitted for the following protocols and ports to allow access for platform services. By default, all other traffic is blocked.

You can view the configured firewall rules with the following command:

~(keystone_admin)]$ kubectl describe globalnetworkpolicy
Name:         controller-oam-if-gnp
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"crd.projectcalico.org/v1","kind":"GlobalNetworkPolicy","metadata":{"annotations":{},"name":"controller-oam-if-gnp"},"spec":...
API Version:  crd.projectcalico.org/v1
Kind:         GlobalNetworkPolicy
Metadata:
  Creation Timestamp:  2019-08-08T20:18:34Z
  Generation:          1
  Resource Version:    1395
  Self Link:           /apis/crd.projectcalico.org/v1/globalnetworkpolicies/controller-oam-if-gnp
  UID:                 b28b74fe-ba19-11e9-9176-ac1f6b0eef28
Spec:
  Apply On Forward:  false
  Egress:
    Action:      Allow
    Ip Version:  4
    Protocol:    TCP
    Action:      Allow
    Ip Version:  4
    Protocol:    UDP
    Action:      Allow
    Protocol:    ICMP
  Ingress:
    Action:  Allow
    Destination:
      Ports:
        22
        18002
        4545
        15491
        6385
        7777
        6443
        9001
        9002
        7480
        9311
        5000
        8080
    Ip Version:  4
    Protocol:    TCP
    Action:      Allow
    Destination:
      Ports:
        2222
        2223
        123
        161
        162
        319
        320
    Ip Version:  4
    Protocol:    UDP
    Action:      Allow
    Protocol:    ICMP
  Order:         100
  Selector:      has(iftype) && iftype == 'oam'
  Types:
    Ingress
    Egress
Events:  <none>

Where:

Protocol

Port

Service Name

tcp

22

ssh

tcp

8080

horizon (http only)

tcp

8443

horizon (https only)

tcp

5000

keystone-api

tcp

6385

stx-metal

stx-config

tcp

8119

stx-distcloud

tcp

18002

stx-fault

tcp

7777

stx-ha

tcp

4545

stx-nfv

tcp

6443

Kubernetes api server

tcp

9001

Docker registry

tcp

9002

Registry token server

tcp

15491

stx-update

icmp

icmp

udp

123

ntp

udp

161

snmp

udp

2222

service manager

udp

2223

service manager

Note

Custom rules may be added for other requirements. For more information, see StarlingX Security: Firewall Options.

Note

UDP ports 2222 and 2223 are used by the service manager for state synchronization and heart beating between the controllers. All messages are authenticated with a SHA512 HMAC. Only packets originating from the peer controller are permitted; all other packets are dropped.