Jeremy Utley wrote:
Hello all on the list.
First off, if this is documented somewhere I'm not aware of, I apologize
for the noise. I've spent a couple of hours google searching google
without success, so pointers to any documentation I've missed would be
greatly appreciated!
We're in the process of setting up a FreeIPA system within our
ultra-secure PCI zone. It's currently working well, and we are very
happy with it. However, we know that come our next audit, we're going
to get hit on a few things, so I would like to ask about blocking off
some additional ports (specifically 80, 389, 53). 53 I think will be
safe to block off, as all our clients actually use a dedicated caching
DNS system with unbound, which has been configured to forward all
queries for the zone "ipa.domain.com <http://ipa.domain.com>" to the
FreeIPA servers, so we should be able to block 53 from everywhere but
the unbound servers without breakage.
However, port 80 and 389 I'm not so sure about. I know most things that
hit port 80 get redirected to 443, and 389 provides STARTTLS
functionality, but in theory, these ports can provide unencrypted
communications, and therefore our auditors will ask that they be closed
off. However, in my research so far, I have not been able to find out
what the ramifications would be to blocking these ports for the IPA
system itself (would it fall back to using SSL on 636? Would API calls
fail if port 80 is closed?).
I also know that the ipa-client-install script will check to ensure
these ports are open - temporarily opening them for the client setup
will not be an issue, if we can close it back down after that. We do
not add systems within this zone very often, so this is a minor issue.
Thanks for any advice you can give!
Jeremy
See this thread from earlier this week,
https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
