Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables setup from perfsonar-toolkit-security not loaded on U24? #483

Open
laeti-tia opened this issue Jun 26, 2024 · 2 comments
Open

iptables setup from perfsonar-toolkit-security not loaded on U24? #483

laeti-tia opened this issue Jun 26, 2024 · 2 comments
Assignees
@laeti-tia

Comments

@laeti-tia
Copy link
Member

laeti-tia commented Jun 26, 2024
edited
Loading

Installing perfsonar-testpoint together with perfsonar-toolkit-security on Ubuntu 22 and 24 doesn't seem to result in anything existing neither in iptables nor in firewalld.

It might be related to #427
@laeti-tia laeti-tia self-assigned this Jul 15, 2024
@laeti-tia
Copy link
Member Author

Or this might be an artefact of running in a Docker container…

@laeti-tia laeti-tia changed the title iptables setup from perfsonar-toolkit-security not loaded on U22 and U24 iptables setup from perfsonar-toolkit-security not loaded on U24? Jul 15, 2024
@laeti-tia
Copy link
Member Author

Firewall setup is working on U22 on a VM, but is not working in a Docker container, which was my primary testing environment. Will test on U24 VM in a few days.

However it's good to know that on newer OS, the firewalld backend is not iptables anymore but nf_tables. If you want to double check the firewalld setup is correctly defined in the kernel filtering tables, you need to use nft based commands, for example:

# nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
	chain filter_IN_public_allow {
		tcp dport 22 ct state { new, untracked } accept
		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
		udp dport 123 ct state { new, untracked } accept
		udp dport 33434-33634 ct state { new, untracked } accept
		tcp dport 4823 ct state { new, untracked } accept
		tcp dport 861 ct state { new, untracked } accept
		tcp dport 862 ct state { new, untracked } accept
		tcp dport 80 ct state { new, untracked } accept
		tcp dport 443 ct state { new, untracked } accept
		udp dport 8760-9960 ct state { new, untracked } accept
		tcp dport 8760-9960 ct state { new, untracked } accept
		udp dport 18760-19960 ct state { new, untracked } accept
		tcp dport 18760-19960 ct state { new, untracked } accept
		tcp dport 5201 ct state { new, untracked } accept
		udp dport 5201 ct state { new, untracked } accept
		tcp dport 5001 ct state { new, untracked } accept
		udp dport 5001 ct state { new, untracked } accept
		tcp dport 5000 ct state { new, untracked } accept
		tcp dport 5101 ct state { new, untracked } accept
		udp dport 5000 ct state { new, untracked } accept
		udp dport 5101 ct state { new, untracked } accept
		tcp dport 5890-5900 ct state { new, untracked } accept
	}
}

@laeti-tia laeti-tia mentioned this issue Jul 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laeti-tia laeti-tia

Labels
None yet
Projects
perfSONAR
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@laeti-tia