2.3. Firewalls
2.3.1. Red Hat Virtualization Manager Firewall Requirements
engine-setup
script can configure the firewall automatically, but this overwrites any pre-existing firewall configuration.
engine-setup
command saves a list of the iptables
rules required in the /usr/share/ovirt-engine/conf/iptables.example
file.
80
and 443
) listed here.
Table 2.7. Red Hat Virtualization Manager Firewall Requirements
Port(s) | Protocol | Source | Destination | Purpose |
---|---|---|---|---|
- | ICMP |
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Manager
| When registering to the Red Hat Virtualization Manager, virtualization hosts send an ICMP ping request to the Manager to confirm that it is online. |
22 | TCP |
System(s) used for maintenance of the Manager including backend configuration, and software upgrades.
|
Red Hat Virtualization Manager
|
Secure Shell (SSH) access.
Optional.
|
2222 | TCP |
Clients accessing virtual machine serial consoles.
|
Red Hat Virtualization Manager
|
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
|
80, 443 | TCP |
Administration Portal clients
User Portal clients
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
REST API clients
|
Red Hat Virtualization Manager
|
Provides HTTP and HTTPS access to the Manager.
|
6100 | TCP |
Administration Portal clients
User Portal clients
|
Red Hat Virtualization Manager
|
Provides websocket proxy access for web-based console clients (
noVNC and spice-html5 ) when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used.
|
7410 | UDP |
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Manager
| Must be open for the Manager to receive Kdump notifications. |
Important
NFSv4
- TCP port
2049
for NFS.
NFSv3
- TCP and UDP port
2049
for NFS. - TCP and UDP port
111
(rpcbind
/sunrpc
). - TCP and UDP port specified with
MOUNTD_PORT="port"
- TCP and UDP port specified with
STATD_PORT="port"
- TCP port specified with
LOCKD_TCPPORT="port"
- UDP port specified with
LOCKD_UDPPORT="port"
MOUNTD_PORT
, STATD_PORT
, LOCKD_TCPPORT
, and LOCKD_UDPPORT
ports are configured in the /etc/sysconfig/nfs
file.
2.3.2. Hypervisor Firewall Requirements
Table 2.8. Virtualization Host Firewall Requirements
Port(s) | Protocol | Source | Destination | Purpose |
---|---|---|---|---|
22 | TCP |
Red Hat Virtualization Manager
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Secure Shell (SSH) access.
Optional.
|
2223 | TCP |
Red Hat Virtualization Manager
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
|
161 | UDP |
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Manager
|
Simple network management protocol (SNMP). Only required if you want Simple Network Management Protocol traps sent from the host to one or more external SNMP managers.
Optional.
|
5900 - 6923 | TCP |
Administration Portal clients
User Portal clients
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.
|
5989 | TCP, UDP |
Common Information Model Object Manager (CIMOM)
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the host. Only required if you want to use a CIMOM to monitor the virtual machines in your virtualization environment.
Optional.
|
9090 | TCP |
Red Hat Virtualization Manager
Client machines
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Cockpit user interface access.
Optional.
|
16514 | TCP |
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Virtual machine migration using
libvirt .
|
49152 - 49216 | TCP |
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Virtual machine migration and fencing using VDSM. These ports must be open facilitate both automated and manually initiated migration of virtual machines.
|
54321 | TCP |
Red Hat Virtualization Manager
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
VDSM communications with the Manager and other virtualization hosts.
|
2.3.3. Directory Server Firewall Requirements
Table 2.9. Host Firewall Requirements
Port(s) | Protocol | Source | Destination | Purpose |
---|---|---|---|---|
88, 464 | TCP, UDP |
Red Hat Virtualization Manager
|
Directory server
| Kerberos authentication. |
389, 636 | TCP |
Red Hat Virtualization Manager
|
Directory server
| Lightweight Directory Access Protocol (LDAP) and LDAP over SSL. |
2.3.4. Database Server Firewall Requirements
Table 2.10. Host Firewall Requirements
Port(s) | Protocol | Source | Destination | Purpose |
---|---|---|---|---|
5432 | TCP, UDP |
Red Hat Virtualization Manager
|
PostgreSQL database server
| Default port for PostgreSQL database connections. |