Linux firewall example use cases

This topic contains several example use cases for opening additional ports in the firewall. Each example shows how to add new rules to the Packet filtering IP table on the Linux Firewall page of the Web Administration Interface to enable access to additional ports on the appliance.

Configure a new HTTP port

This example shows how to add a rule to the Incoming packets (INPUT) table to open a new HTTP port 8085 to accept incoming traffic on the appliance. To open a different port, replace 8085 in the following steps:

  1. Click the Add Rule button at the bottom right of the Incoming packets (INPUT) table to display the Add Rule page.
  2. In the Chain and action details section, enter a comment to identify the use for the rule. For example, HTTP port 8085.
  3. Add rule chain and action details
  4. In the Action to take field, select the Accept option.
  5. Scroll down to the Condition details section. This enables you to restrict traffic based on a number of conditions. In this example, you need only to open the 8085 port without restrictions, so most of these options can use the default settings.
  6. Add rule conditions
  7. In the Network protocol field, select Equals and TCP.
  8. In the Destination TCP or UDP port field, select Equals and Port(s). Enter 8085 in the text box.
  9. In the Connection states field, select Equals and New connection(NEW).
  10. Scroll down, and click the Save button at the bottom left of the page. This brings you back to the main page, and your new rule should be displayed at the bottom of the Incoming packets (INPUT) table.
  11. Click the up arrow in the Move column next to the new rule so that the new rule is above the Reject Always rule.
  12. Click the Apply Configuration button at the bottom of the page to allow these updates to take effect.

Allow JMX connections to the API Gateway

In this example, the API Gateway has been configured to allow remote Java Management eXtensions (JMX) monitoring on port 8887. Although the port for the JMX connection is specified as 8887, this is for the Java Remote Method Invocation (RMI) registry only (and is specified when connecting with JConsole). Another, random, port is opened by JMX to export JMX RMI connection objects. There is no way to know in advance which port is used, and therefore which port to open on the firewall.

The easiest way to provide access through the firewall is to add a rule to the Incoming packets (INPUT) table to allow access to any port from a particular IP address (the address of your client), or an IP address range (for example, the subnet of your client). In this example, the client IP address is 192.168.0.100.

Perform the following steps:

  1. Click the Add Rule button at the bottom right of the rule table to display the Add Rule page.
  2. In the Chain and action details section, you can enter a comment to identify the use for the rule. For example, this could be Allow connections from 192.168.0.100 for JMX.
  3. In the Action to take field, click the Accept option.
  4. Scroll down to the Condition details section. This enables you to restrict traffic based on a number of conditions. In this example, you need only to allow 192.168.0.100 to connect without restrictions, so most of these options can use the default settings.
  5. In the Source address or network field, select Equals , and enter the IP address in the text box. In this example, only 192.168.0.100 is allowed access. However, you could allow access to any address in the 192.168.0.0-255 range by entering 192.168.0.0/24.
  6. Scroll down, and click the Save button at the bottom left of the page. This brings you back to the main page, and your new rule should be displayed at the bottom of the Incoming packets (INPUT) table.
  7. Click the up arrow in the Move column next to the new rule so that the new rule is above the Reject Always rule.
  8. Click the Apply Configuration button at the bottom of the page to allow these updates to take effect.

Configure the firewall for distributed caching

Distributed caching on the API Gateway uses RMI to transfer the data between each node in the distributed cache. RMI has a fixed listener port that can be opened easily, but unfortunately for the configuration of the firewall, it also sets up random ports for further communication and data transfer between nodes. This leads to a similar solution as for the JMX example where packets from a specified IP address or address range are accepted through the firewall. For automatic peer discovery, it would likely be best to use an IP address range or subnet. In this example, the 192.168.0.0 255.255.255.0 subnet is allowed access to any port on the appliance.

Perform the following steps:

  1. Click the Add Rule button at the bottom right of the Incoming packets (INPUT) table to display the Add Rule page.
  2. In the Chain and action details section, you can enter a comment to identify the use for the rule. For example, this could be Allow connections from 192.168.0.0/24 for distributed caching.
  3. In the Action to take field, click the Accept option.
  4. Scroll down to the Condition details section. This enables you to restrict traffic based on a number of conditions. In this example, you need only to allow the 192.168.0.0/24 subnet to connect without restrictions, so most of these options can use the default settings.
  5. In the Source address or network field, select Equals and enter the IP addresses in the text box. In this example, enter 192.168.0.0/24.
  6. Scroll down, and click the Save button at the bottom left of the page. This brings you back to the main page, and your new rule should be displayed at the bottom of the Incoming packets (INPUT) table.
  7. Click the up arrow in the Move column next to the new rule so that the new rule is above the Reject Always rule.
  8. Click the Apply Configuration button at the bottom of the page to allow these updates to take effect.

Connect to CA SiteMinder

Communication with a CA SiteMinder Policy Server also involves connection to random ports on the appliance. This leads to a similar solution as for the JMX example where packets from a specified IP address or address range are accepted through the firewall. In this example, the IP address of the SiteMinder Policy Server is 192.168.0.100 . This IP address is allowed access to any port on the appliance.

Perform the following steps:

  1. Click the Add Rule button at the bottom right of the Incoming packets (INPUT) table to display the Add Rule page.
  2. In the Chain and action details section, you can enter a comment to identify the use for the rule. For example, this could be Allow connections from 192.168.0.100 for SiteMinder PS.
  3. In the Action to take field, click the Accept option.
  4. Scroll down to the Condition details section. This enables you to restrict traffic based on a number of conditions. In this example, you need only to allow 192.168.0.100 to connect without restrictions, so most of these options can use the default settings.
  5. In the Source address or network field, select Equals and enter the IP addresses in the text box. In this example, enter 192.168.0.100.
  6. Scroll down, and click the Save button at the bottom left of the page. This brings you back to the main page, and your new rule should be displayed at the bottom of the Incoming packets (INPUT) table.
  7. Click the up arrow in the Move column next to the new rule so that the new rule is above the Reject Always rule.
  8. Click the Apply Configuration button at the bottom of the page to allow these updates to take effect.

Connect to a RADIUS server

Communication with a Remote Authentication Dial In User Service (RADIUS) server also involves connection to random ports on the appliance. This leads to a similar solution as for the JMX example where packets from a specified IP address or address range are accepted through the firewall. In this example, the IP address of the RADIUS Server is 192.168.0.100 . This IP address is allowed access to any port on the appliance.

Perform the following steps:

  1. Click the Add Rule button at the bottom right of the Incoming packets (INPUT) table to display the Add Rule page.
  2. In the Chain and action details section, you can enter a comment to identify the use for the rule. For example, this could be Allow connections from 192.168.0.100 for Radius.
  3. In the Action to take field, click the Accept option.
  4. Scroll down to the Condition details section. This enables you to restrict traffic based on a number of conditions. In this example, you need only to allow 192.168.0.100 to connect without restrictions, so most of these options can use the default settings.
  5. In the Source address or network field, select Equals and the IP addresses in the text box. In this example, enter 192.168.0.100.
  6. Scroll down, and click the Save button at the bottom left of the page. This brings you back to the main page, and your new rule should be displayed at the bottom of the Incoming packets (INPUT) table.
  7. Click the up arrow in the Move column next to the new rule so that the new rule is above the Reject Always rule.
  8. Click the Apply Configuration button at the bottom of the page to allow these updates to take effect.

Related Links