Firewall & Required Ports
Tenantos is designed to be secure right out of the box, with only essential ports open by default. If you are considering manually setting up a firewall, this guide highlights the crucial ports to keep in mind.
Required Ports
The main server acts as an agent as well, which means the port requirements for both the main server and the agents are the same. However, if you don't use the agent functionality on the main server, the TFTP and DHCP ports can be closed.
Protocol | Port | Purpose |
---|---|---|
TCP | 80, 443 | Webserver |
TCP | 10000-12000 | Agent Communication |
TCP | 22* | SSH |
UDP | 69 | TFTP |
UDP | 67 | DHCP |
TCP + UDP | 139, 445 | Samba |
* Note: Altering the SSH port requires an update on the remote agents page. Keep in mind, the main server functions as an agent too.
The main server needs to communicate with the agents via SSH, HTTP, and HTTPS. On the other hand, remote agents must be able to connect to the main server using HTTPS.
Clients never directly connect to the agents. Instead, they connect to the main server, which then forwards the connection to the agent if necessary (e.g., for consoles). However, servers may communicate with agents during installations, and network devices communicate with agents if the connection is delegated to the agent.
Notes about Samba
The Samba port is closed by default. When a PXE boot is started that requires Samba, the system will automatically whitelist the IP address of the server to allow access to Samba. After the PXE boot is completed, the IP address is removed from the whitelist.
Notes about Docker
It is important not to modify the default iptables rules of Docker. If you set up your own firewall, it's recommended to start an IPMI-KVM session afterward to ensure Docker networking remains operational.
If Docker networking is not working, execute systemctl restart docker
to restore the iptables rules.
Notes about SSH
In certain scenarios, the Tenantos main server establishes SSH connections to remote agents using SSH keys. It is possible to change the SSH port of the remote agent by modifying the sshd configuration. However, any changes made to the SSH port must be mirrored on the remote agents page.
During the installation phase of new agents, password authentication is necessary but can be deactivated subsequently.