On 11/22/2011 04:24 PM, Steven Jones wrote: > Hi, > > I suppose we can break this down into sections based on the components. > > For instance the inter-IPA server port communication is covered off > well....it needs 7389 for day to day communication, but needs ports 9443 to > 9445 for the setup....So I can do a task for that aspect, (which I did). > However that isnt on page 10...its deeper into the doc. I dont like repeating > info in a doc multiple times so I'd suggest page 10 mentions the above and > tells you where to look. > > I would suggest that something similar is needed for client to > server.......for instance is 9446? as well as 80 and 443? needed? What actual > ports will a IPA enabled client use to talk to IPA? ie does it need 389, > 636 and 88 and 464? or does it just use 636 and 464? (say) Non-IPA client > what do they use? So if Im RedHat only IPA enabled only I open up less > ports......the second I want Ubuntu and Mac I have to open up more. > > Looks like we have or can imply enough info for server to external > services/communications....so we need DNS and NTP to be open....from page 10 > > Admin use.....so ssh, and 443, 80?.......when you run kinit admin that talks > over what ports? 88? and 464? Is 9445 used for admin? > > It maybe better to have a "visio" diagram(s). A protocal diagram is in the > asbuilt I sent you section 4.1. > > NB I also write a IPTABLES ruleset before I build the server/workstation and > that gets carried over via Kickstart/Satellitte and activated on build. So > once its built I then find that oh I missed one..... I use subversion to hold > each server's iptables firewall, I have to go back and edit that file so in a > DR or OR situation its all up to date.... >
Added pointer to your mail to the bug. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Wednesday, 23 November 2011 9:49 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for > firewalling pls. > > On 11/22/2011 03:24 PM, Steven Jones wrote: >> Hi, >> >> I dont find out until I run the script.....its a bit late. I then have to >> raise more change controls and wait. Also for any application deployment I >> have to do a [security] design and say what is opened, why and if any >> sensitive data is transmitted, so I really need this info before I touch a >> server at all. For instance a user id and password is classed as sensitive, >> so it has to be encrypted.....by some acceptable standard method and it has >> to be adequately encrypted.... So the security portion of the design can >> take weeks to get signed off.....if I've missed anything serious I may have >> to re-write and submit.. We end up doing this frequently.....sometimes we >> even reject a vendor's product because we find it has a fundamental security >> flaw.... > What would be helpful is to turn this into Q&A. Can you formulate a set > of questions a little bit more granular than "Which ports I need to open > when and why"? > > >> like its transmitting plain text passwords or even storing/caching them >> locally in plain text....not that un-common.... >> > True. But we do not do that except AFAIK one case - password for the CA > DS instance which is stored locally in the config file available to root > only. > But I may be wrong. Is there anything else? Anyone knows? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on >> behalf of Dmitri Pal [d...@redhat.com] >> Sent: Wednesday, 23 November 2011 9:04 a.m. >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Improvement to documentaion needed for >> firewalling pls. >> >> On 11/22/2011 02:58 PM, Steven Jones wrote: >>> Hi, >>> >>> 2.1.3.4 page 10 lists ports but not what happens with them... >>> >>> For instance I am now in a very secure environment and find when I do a >>> ipa-client-install the client connects to port 80 and retrieves a >>> ca.crt........now I have to wait 3 days to get port 80 opened up...to the >>> IPA server(s). >>> >>> If I had better docs then I can make the request before hand.... >>> >>> This of course is the first failure.....if say I find that the >>> ipa-client-install script uses 443 next I will have to wait another 3 >>> days......if I find there are 4 un-documented port calls to get an client >>> install to work......well its a week to 2 weeks wait.... >>> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> When you install IPA the output of the installation lists all the ports >> that you need to open and for what service: DNS, Kerberos, LDAP etc. >> Is this not enough? What level of details you are looking for? >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users