Configure firewall on host to open https port after installing CE

[yurem]

Yuriy: is it secure to open 443 port without admin approval?
Ganesh Dutt Sharma: yes, because anyway, external firewall still needs an open port at 443.
Most of our clients are doing it.
Yuriy: I think we can do this in postinstall script. We need to give Adrian commands for each platform.
Also to inform admin we can print message to console:
"Checking if https port is open and configuring firewall rules.."

Example for Ubuntu:
sudo ufw allow https

[adrian-gluu]

our pkgs disable IPTABLES in the host and also there is no iptables inside of the chroot

[yurem]

I'm not sure that we can just disable all rules silently. For CE we only need to disable https

[ganesh-at-wiw]

disable?

[ganesh-at-wiw]

This will send entirely wrong signal to individual testers who just want to see the interface after installation. It'll send signals of not-working rather than a little security concern. So, at least 443 should be open.

[nynymike]

It is ridiculous to disable iptables on the host. I would say that host firewall config is up to the system admin. We should not mess with the host firewall--just document the required ports for our application.

[adrian-gluu]

your call guys i think only happens on RPM for centos7 and rhel7 because of the manner that we handle the systemd unit file
@yurem @ganesh-at-wiw @mzico @nynymike

[ganesh-at-wiw]

We should not disable iptables of host. We simply should add our one rule to allow port 443.

[yurem]

ganesh-at-wiw commented 5 days ago

disable?
enable :), It's typo in this message. In original description I put right exaplanation

[ganesh-at-wiw]

Thanks :)

[adrian-gluu]

add a rule how? if you dont have any way to know how the customer firewall is i think we can just disable adn add notes in our doc not inside of the pkg, we cannot know every customer firewall way

[nynymike]

I agree. Per my previous comment, I don't think we should change the host firewall. Just make recommendations in the docs.

[adrian-gluu]

also ONLY centos7 and rhel7 packages are disabling the firewall, because systemd hack that we have there but i will remove that in our next build

[yurem]

@adrian-gluu Can you update our admin docs. We need to explain that admin should open 443 port after installing CE

[yurem]

Honestly speaking it's not our responsibility to change firewall rules on host.

I think we should check if port is closed and show admin warning about this.

[yurem]

I'm closing this because this can cause more questions than expected result. It's admin responsibility to enable firewall on host if needed.