Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

2.3. Firewalls

2.3.1. Red Hat Virtualization Manager Firewall Requirements

The Red Hat Virtualization Manager requires that a number of ports be opened to allow network traffic through the system's firewall. The engine-setup script can configure the firewall automatically, but this overwrites any pre-existing firewall configuration.
Where an existing firewall configuration exists, you must manually insert the firewall rules required by the Manager instead. The engine-setup command saves a list of the iptables rules required in the /usr/share/ovirt-engine/conf/iptables.example file.
The firewall configuration documented here assumes a default configuration. Where non-default HTTP and HTTPS ports are chosen during installation, adjust the firewall rules to allow network traffic on the ports that were selected - not the default ports (80 and 443) listed here.

Table 2.7. Red Hat Virtualization Manager Firewall Requirements

Port(s) Protocol Source Destination Purpose
- ICMP
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Manager
When registering to the Red Hat Virtualization Manager, virtualization hosts send an ICMP ping request to the Manager to confirm that it is online.
22 TCP
System(s) used for maintenance of the Manager including backend configuration, and software upgrades.
Red Hat Virtualization Manager
Secure Shell (SSH) access.
Optional.
2222 TCP
Clients accessing virtual machine serial consoles.
Red Hat Virtualization Manager
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
80, 443 TCP
Administration Portal clients
User Portal clients
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
REST API clients
Red Hat Virtualization Manager
Provides HTTP and HTTPS access to the Manager.
6100 TCP
Administration Portal clients
User Portal clients
Red Hat Virtualization Manager
Provides websocket proxy access for web-based console clients (noVNC and spice-html5) when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used.
7410 UDP
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Manager
Must be open for the Manager to receive Kdump notifications.

Important

In environments where the Red Hat Virtualization Manager is also required to export NFS storage, such as an ISO Storage Domain, additional ports must be allowed through the firewall. Grant firewall exceptions for the ports applicable to the version of NFS in use:

NFSv4

  • TCP port 2049 for NFS.

NFSv3

  • TCP and UDP port 2049 for NFS.
  • TCP and UDP port 111 (rpcbind/sunrpc).
  • TCP and UDP port specified with MOUNTD_PORT="port"
  • TCP and UDP port specified with STATD_PORT="port"
  • TCP port specified with LOCKD_TCPPORT="port"
  • UDP port specified with LOCKD_UDPPORT="port"
The MOUNTD_PORT, STATD_PORT, LOCKD_TCPPORT, and LOCKD_UDPPORT ports are configured in the /etc/sysconfig/nfs file.

2.3.2. Hypervisor Firewall Requirements

Red Hat Enterprise Linux hosts and Red Hat Virtualization Hosts (RHVH) require a number of ports to be opened to allow network traffic through the system's firewall. In the case of the Red Hat Virtualization Host these firewall rules are configured automatically. For Red Hat Enterprise Linux hosts however it is necessary to manually configure the firewall.

Table 2.8. Virtualization Host Firewall Requirements

Port(s) Protocol Source Destination Purpose
22 TCP
Red Hat Virtualization Manager
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Secure Shell (SSH) access.
Optional.
2223 TCP
Red Hat Virtualization Manager
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
161 UDP
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Manager
Simple network management protocol (SNMP). Only required if you want Simple Network Management Protocol traps sent from the host to one or more external SNMP managers.
Optional.
5900 - 6923 TCP
Administration Portal clients
User Portal clients
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.
5989 TCP, UDP
Common Information Model Object Manager (CIMOM)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the host. Only required if you want to use a CIMOM to monitor the virtual machines in your virtualization environment.
Optional.
9090 TCP
Red Hat Virtualization Manager
Client machines
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Cockpit user interface access.
Optional.
16514 TCP
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Virtual machine migration using libvirt.
49152 - 49216 TCP
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Virtual machine migration and fencing using VDSM. These ports must be open facilitate both automated and manually initiated migration of virtual machines.
54321 TCP
Red Hat Virtualization Manager
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
VDSM communications with the Manager and other virtualization hosts.

2.3.3. Directory Server Firewall Requirements

Red Hat Virtualization requires a directory server to support user authentication. A number of ports must be opened in the directory server's firewall to support GSS-API authentication as used by the Red Hat Virtualization Manager.

Table 2.9. Host Firewall Requirements

Port(s) Protocol Source Destination Purpose
88, 464 TCP, UDP
Red Hat Virtualization Manager
Directory server
Kerberos authentication.
389, 636 TCP
Red Hat Virtualization Manager
Directory server
Lightweight Directory Access Protocol (LDAP) and LDAP over SSL.

2.3.4. Database Server Firewall Requirements

Red Hat Virtualization supports the use of a remote database server. If you plan to use a remote database server with Red Hat Virtualization then you must ensure that the remote database server allows connections from the Manager.

Table 2.10. Host Firewall Requirements

Port(s) Protocol Source Destination Purpose
5432 TCP, UDP
Red Hat Virtualization Manager
PostgreSQL database server
Default port for PostgreSQL database connections.
If you plan to use a local database server on the Manager itself, which is the default option provided during installation, then no additional firewall rules are required.