On Fri, Apr 1, 2016 at 2:57 PM, Rob Crittenden <[email protected]> wrote:
> Jeremy Utley wrote: > >> Hello all on the list. >> >> First off, if this is documented somewhere I'm not aware of, I apologize >> for the noise. I've spent a couple of hours google searching google >> without success, so pointers to any documentation I've missed would be >> greatly appreciated! >> >> We're in the process of setting up a FreeIPA system within our >> ultra-secure PCI zone. It's currently working well, and we are very >> happy with it. However, we know that come our next audit, we're going >> to get hit on a few things, so I would like to ask about blocking off >> some additional ports (specifically 80, 389, 53). 53 I think will be >> safe to block off, as all our clients actually use a dedicated caching >> DNS system with unbound, which has been configured to forward all >> queries for the zone "ipa.domain.com <http://ipa.domain.com>" to the >> FreeIPA servers, so we should be able to block 53 from everywhere but >> the unbound servers without breakage. >> >> However, port 80 and 389 I'm not so sure about. I know most things that >> hit port 80 get redirected to 443, and 389 provides STARTTLS >> functionality, but in theory, these ports can provide unencrypted >> communications, and therefore our auditors will ask that they be closed >> off. However, in my research so far, I have not been able to find out >> what the ramifications would be to blocking these ports for the IPA >> system itself (would it fall back to using SSL on 636? Would API calls >> fail if port 80 is closed?). >> >> I also know that the ipa-client-install script will check to ensure >> these ports are open - temporarily opening them for the client setup >> will not be an issue, if we can close it back down after that. We do >> not add systems within this zone very often, so this is a minor issue. >> >> Thanks for any advice you can give! >> >> Jeremy >> >> >> > See this thread from earlier this week, > https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html > > rob > Thank you, Rob! I think that will answer my questions, and hopefully the auditors! Jeremy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
