2.3. Firewalls

2.3.1. Red Hat Enterprise Virtualization Manager Firewall Requirements

The Red Hat Enterprise Virtualization Manager requires that a number of ports be opened to allow network traffic through the system's firewall. The engine-setup script can configure the firewall automatically, but this overwrites any pre-existing firewall configuration.

Where an existing firewall configuration exists, you must manually insert the firewall rules required by the Manager instead. The engine-setup command saves a list of the iptables rules required in the /usr/share/ovirt-engine/conf/iptables.example file.

The firewall configuration documented here assumes a default configuration. Where non-default HTTP and HTTPS ports are chosen during installation, adjust the firewall rules to allow network traffic on the ports that were selected - not the default ports (80 and 443) listed here.

Table 2.7. Red Hat Enterprise Virtualization Manager Firewall Requirements

Port(s)	Protocol	Source	Destination	Purpose
-	ICMP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Manager	When registering to the Red Hat Enterprise Virtualization Manager, virtualization hosts send an ICMP ping request to the Manager to confirm that it is online.
22	TCP	System(s) used for maintenance of the Manager including backend configuration, and software upgrades.	Red Hat Enterprise Virtualization Manager	Secure Shell (SSH) access. Optional.
2222	TCP	Clients accessing virtual machine serial consoles.	Red Hat Enterprise Virtualization Manager	Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
80, 443	TCP	Administration Portal clients User Portal clients Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s) REST API clients	Red Hat Enterprise Virtualization Manager	Provides HTTP and HTTPS access to the Manager.
6100	TCP	Administration Portal clients User Portal clients	Red Hat Enterprise Virtualization Manager	Provides websocket proxy access for web-based console clients (`noVNC` and `spice-html5`) when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used.
7410	UDP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Manager	Must be open for the Manager to receive Kdump notifications.

Important

In environments where the Red Hat Enterprise Virtualization Manager is also required to export NFS storage, such as an ISO Storage Domain, additional ports must be allowed through the firewall. Grant firewall exceptions for the ports applicable to the version of NFS in use:

NFSv4

TCP port 2049 for NFS.

NFSv3

TCP and UDP port 2049 for NFS.
TCP and UDP port 111 (rpcbind/sunrpc).
TCP and UDP port specified with MOUNTD_PORT="port"
TCP and UDP port specified with STATD_PORT="port"
TCP port specified with LOCKD_TCPPORT="port"
UDP port specified with LOCKD_UDPPORT="port"

The MOUNTD_PORT, STATD_PORT, LOCKD_TCPPORT, and LOCKD_UDPPORT ports are configured in the /etc/sysconfig/nfs file.

2.3.2. Hypervisor Firewall Requirements

Hypervisor hosts require a number of ports to be opened to allow network traffic through the system's firewall. In the case of the Red Hat Enterprise Virtualization Hypervisor and Red Hat Virtualization Host, these firewall rules are configured automatically. For Red Hat Enterprise Linux hosts however it is necessary to manually configure the firewall.

Table 2.8. Virtualization Host Firewall Requirements

Port(s)	Protocol	Source	Destination	Purpose
22	TCP	Red Hat Enterprise Virtualization Manager	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Secure Shell (SSH) access. Optional.
2223	TCP	Red Hat Enterprise Virtualization Manager	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
161	UDP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Manager	Simple network management protocol (SNMP). Only required if you want Simple Network Management Protocol traps sent from the hypervisor to one or more external SNMP managers. Optional.
5900 - 6923	TCP	Administration Portal clients User Portal clients	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.
5989	TCP, UDP	Common Information Model Object Manager (CIMOM)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the hypervisor. Only required if you want to use a CIMOM to monitor the virtual machines in your virtualization environment. Optional.
16514	TCP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Virtual machine migration using `libvirt`.
49152 - 49216	TCP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Virtual machine migration and fencing using VDSM. These ports must be open facilitate both automated and manually initiated migration of virtual machines.
54321	TCP	Red Hat Enterprise Virtualization Manager Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Virtualization Host(s) Red Hat Enterprise Linux host(s)	VDSM communications with the Manager and other virtualization hosts.

2.3.3. Directory Server Firewall Requirements

Red Hat Enterprise Virtualization requires a directory server to support user authentication. A number of ports must be opened in the directory server's firewall to support GSS-API authentication as used by the Red Hat Enterprise Virtualization Manager.

Table 2.9. Host Firewall Requirements

Port(s)	Protocol	Source	Destination	Purpose
88, 464	TCP, UDP	Red Hat Enterprise Virtualization Manager	Directory server	Kerberos authentication.
389, 636	TCP	Red Hat Enterprise Virtualization Manager	Directory server	Lightweight Directory Access Protocol (LDAP) and LDAP over SSL.

2.3.4. Database Server Firewall Requirements

Red Hat Enterprise Virtualization supports the use of a remote database server. If you plan to use a remote database server with Red Hat Enterprise Virtualization then you must ensure that the remote database server allows connections from the Manager.

Table 2.10. Host Firewall Requirements

Port(s)	Protocol	Source	Destination	Purpose
5432	TCP, UDP	Red Hat Enterprise Virtualization Manager	PostgreSQL database server	Default port for PostgreSQL database connections.

If you plan to use a local database server on the Manager itself, which is the default option provided during installation, then no additional firewall rules are required.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

2.3.1. Red Hat Enterprise Virtualization Manager Firewall Requirements

2.3.2. Hypervisor Firewall Requirements

2.3.3. Directory Server Firewall Requirements

2.3.4. Database Server Firewall Requirements

Where did the comment section go?