[Freeipa-users] Re: firewall - masters VS clients
On 15/06/2023 16:41, Alexander Bokovoy wrote: On Thu, 15 Jun 2023, lejeczek via FreeIPA-users wrote: On 15/06/2023 15:33, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob Many thanks. Might I dare to suggest - there are not many as complex as IPA programs(?) accompanied by documentation as good IPA is - an addition? of something like ipa-firewall, IPA is bit "stingy" on that front and a short & concise (with perhaps a short highlight on: master <-- master VS <--client -- if there are differences which I failed to find explained in those links) -- small man-page will go a long way, I have no doubts. Everybody knows that admins worth their souls go there first - sroogling can't compare - and nobody can put a better manual than the authors, obviously. There are multiple places in the RHEL IdM documentation that talks about protocols flow and firewalls/ports. For example, below are sections related to integration with Active Directory: Troubleshooting client access to services in the other forest: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#assembly_troubleshooting-client-access-to-services-in-the-other-forest_installing-trust-between-idm-and-ad Ports required for communication between IdM and AD: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#ports-required-for-communication-between-idm-and-ad_installing-trust-between-idm-and-ad There are also sections related to ports for normal installation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation These all were taken from my original draft that I shared here multiple times: https://vda.li/drafts/firewall-considerations.txt Apologies, I did not get my point across well or could be that not at all - "stingy" on man-pages front - IPA I said had very good documentation - an addition of ipa-firewall man page(s) was my suggestion. Sroogling over the Internet is okey but most - all admins I'd like to believe - of us go to man pages first. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: firewall - masters VS clients
On Thu, 15 Jun 2023, lejeczek via FreeIPA-users wrote: On 15/06/2023 15:33, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob Many thanks. Might I dare to suggest - there are not many as complex as IPA programs(?) accompanied by documentation as good IPA is - an addition? of something like ipa-firewall, IPA is bit "stingy" on that front and a short & concise (with perhaps a short highlight on: master <-- master VS <--client -- if there are differences which I failed to find explained in those links) -- small man-page will go a long way, I have no doubts. Everybody knows that admins worth their souls go there first - sroogling can't compare - and nobody can put a better manual than the authors, obviously. There are multiple places in the RHEL IdM documentation that talks about protocols flow and firewalls/ports. For example, below are sections related to integration with Active Directory: Troubleshooting client access to services in the other forest: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#assembly_troubleshooting-client-access-to-services-in-the-other-forest_installing-trust-between-idm-and-ad Ports required for communication between IdM and AD: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#ports-required-for-communication-between-idm-and-ad_installing-trust-between-idm-and-ad There are also sections related to ports for normal installation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation These all were taken from my original draft that I shared here multiple times: https://vda.li/drafts/firewall-considerations.txt regards & thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: firewall - masters VS clients
On 15/06/2023 15:33, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob Many thanks. Might I dare to suggest - there are not many as complex as IPA programs(?) accompanied by documentation as good IPA is - an addition? of something like ipa-firewall, IPA is bit "stingy" on that front and a short & concise (with perhaps a short highlight on: master <-- master VS <--client -- if there are differences which I failed to find explained in those links) -- small man-page will go a long way, I have no doubts. Everybody knows that admins worth their souls go there first - sroogling can't compare - and nobody can put a better manual than the authors, obviously. regards & thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: firewall - masters VS clients
lejeczek via FreeIPA-users wrote: > Hi guys. > > Are there any ports/services which clients do not need and which can be > exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
