Red Hat SummitFirewall Rules for Red Hat OpenStack Platform
List of required ports and protocols.
Abstract
1. Firewall Rules for Red Hat OpenStack Platform
This article describes the firewall configuration created by the director for Red Hat OpenStack Platform. These ports are required for services running on the overcloud.
It is recommended that you test service connectivity before moving your deployment into production. As part of this process, consider checking for any dropped traffic on all intermediary firewalls.
In the tables below, certain port numbers are formatted as variables, such as IronicIPXEPort. These port numbers will be specific to your deployment and will have been defined in your environment files.
1.1. Reviewing firewall rules for Composable Roles
Red Hat OpenStack Platform director allows you to customize where certain OpenStack services are deployed. For example, you could deploy a standalone node that runs only the Identity Service (keystone). For more information, see the Composable Roles documentation: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/advanced_overcloud_customization/roles
2. Review the firewall rules for each role
Consider segmenting the network traffic that passes between standalone roles. For example, some deployments might want to use granular firewall rules to restrict traffic between standalone keystone nodes, or from one keystone node to a standalone Compute node. This approach would also be useful for spine-leaf networks, where the router can also be used to apply granular firewall rules.
To begin segmenting traffic for standalone roles, you will need to identify the firewall rules apply to each role. You can determine this by reviewing the services assigned to the role. Each service file in tripleo-heat-templates/puppet/services/* has an entry named tripleo.<service>.firewall_rules which describes the ports required for that service. You can extract this information from the templates using the following command:
find -L /usr/share/openstack-tripleo-heat-templates/ -type f | while read f;do if `grep -q firewall_rules $f`;then echo -e "\n $f " ; grep firewall_rules "$f" -A10;fi; done
find -L /usr/share/openstack-tripleo-heat-templates/ -type f | while read f;do if `grep -q firewall_rules $f`;then echo -e "\n $f " ; grep firewall_rules "$f" -A10;fi; doneThe following tables are formatted output from the above command, from a particular point in time. It would be good practice to confirm the settings in the YAML scripts, as they are subject to change.
2.1. TripleO Core
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| core | UDP | 4789 |
2.2. Ceph MDS
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6800-7300 |
2.3. Ceph Monitor service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6789 |
2.4. Ceph OSD
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6800-7300 |
2.5. Ceph RadosGW service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph_rgw | TCP |
| Ceph RGW |
2.6. MySQL Galera
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| mysql_galera | TCP | 873 | MySQL |
| mysql_galera | TCP | 3123 | |
| mysql_galera | TCP | 3306 | |
| mysql_galera | TCP | 4444 | |
| mysql_galera | TCP | 4567 | |
| mysql_galera | TCP | 4568 | |
| mysql_galera | TCP | 9200 | Galera-monitor |
2.7. Redis
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| redis | TCP | 3124 | |
| redis | TCP | 6379 | Internal service coordination |
| redis | TCP | 26379 |
2.8. RabbitMQ
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| rabbitmq | TCP | 3122 | Rabbitmq |
| rabbitmq | TCP | 4369 | Rabbitmq |
| rabbitmq | TCP | 5672 | Rabbitmq |
| rabbitmq | TCP | 25672 | Rabbitmq |
2.9. Mistral API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| mistral_api | TCP | 8989 | |
| mistral_api | TCP | 13989 |
2.10. Neutron L3 VRRP
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| VRRP | VRRP | VRRP |
2.11. Manila API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| manila | TCP | 8786 | Manila API |
| manila | TCP | 13786 | Manila API |
2.12. AODH API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| aodh_api | TCP | 8042 | |
| aodh_api | TCP | 13042 |
2.13. Barbican API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| barbican_api | TCP | 9311 | |
| barbican_api | TCP | 13311 |
2.14. Glance API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| glance | TCP | 9292 | Glance API |
| glance | TCP | 13292 | Glance API (SSL) |
2.15. OVN DB Server
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ovn_dbs | TCP |
| |
| ovn_dbs | TCP |
|
2.16. Gnocchi API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| gnocchi | TCP | 8041 | Gnocchi API |
| gnocchi | TCP | 13041 | Gnocchi API (SSL) |
2.17. Ceph RBD Mirror
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6800-7300 |
2.18. RabbitMQ QDR
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| rabbitmq | TCP |
|
2.19. Ceilometer API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceilometer | TCP | 8777 | Ceilometer API |
| ceilometer | TCP | 13777 | Ceilometer API (SSL) |
2.20. Horizon
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| horizon | TCP | 80 | Dashboard |
| horizon | TCP | 443 | Dashboard (SSL) |
2.21. Ironic API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ironic | TCP | 6385 | Ironic API |
| ironic | TCP | 13385 | Ironic API (SSL) |
2.22. Memcached service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| memcached | TCP | 11211 |
2.23. Ceph MDS
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6800-7300 |
2.24. Ceph Monitor service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6789 |
2.25. Mistral API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| mistral_api | TCP | 8989 | |
| mistral_api | TCP | 13989 |
2.26. Ceph OSD
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph | TCP | 6800-7300 |
2.27. Ceph RadosGW service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ceph_rgw | TCP |
| Ceph RGW |
2.28. Cinder API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| cinder | TCP | 8776 | Cinder API |
| cinder | TCP | 13776 | Cinder API (SSL) |
2.29. Ceilometer SNMP
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| SNMP | UDP | 161 | Ceilometer |
2.30. Ironic Conductor
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| TFTP | UDP | 69 | |
| HTTP | TCP |
|
2.31. Ironic Inspector
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ironic_inspector | TCP | 5050 |
2.32. keepalived VRRP
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| VRRP | VRRP | VRRP |
2.33. NTP
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ntp | UDP | 123 | NTP |
2.34. Opencontrail DPDK
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| opencontrail | TCP | 8097 | |
| opencontrail | TCP | 8085 |
2.35. Opencontrail TSN
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| opencontrail | TCP | 8097 |
2.36. Opencontrail vRouter
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| opencontrail | TCP | 8097 | |
| opencontrail | TCP | 8085 |
2.37. Gnocchi Statsd
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| gnocchi_statsd | UDP | 8125 | Network daemon for statistics |
2.38. Keystone
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| keystone | TCP | 5000 | Keystone Public API |
| keystone | TCP | 13000 | Keystone Public API (SSL) |
| keystone | TCP | 35357 | Keystone Admin API |
| keystone | TCP | 13357 | Keystone Admin API (SSL) |
2.39. Neutron API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| neutron | TCP | 9696 | Neutron API |
| neutron | TCP | 13696 | Neutron API (SSL) |
2.40. Cinder Volume iSCSI Initiator
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| iSCSI | TCP | 3260 |
2.41. MongoDB
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| mongodb_config | TCP | 27019 | mongodb_config |
| mongodb_sharding | TCP | 27018 | mongodb_sharding |
| mongodb | TCP | 27017 | MongoDB |
2.42. MySQL Galera
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| mysql_galera | TCP | 873 | MySQL |
| mysql_galera | TCP | 3306 | |
| mysql_galera | TCP | 4444 | |
| mysql_galera | TCP | 4567 | |
| mysql_galera | TCP | 4568 | |
| mysql_galera | TCP | 9200 | Galera-monitor |
2.43. Redis
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| redis | TCP | 6379 | Internal service coordination |
| redis | TCP | 26379 |
2.44. Nova API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| nova | TCP | 8773 | Nova EC2 API |
| nova | TCP | 3773 | Nova EC2 API (SSL) |
| nova | TCP | 8774 | Nova API |
| nova | TCP | 13774 | Nova API (SSL) |
| nova | TCP | 8775 | Nova Metadata |
2.45. EC2 API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ec2_api | TCP | 8788 | |
| ec2_api | TCP | 13788 |
2.46. etcd
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| etcd | TCP | 2379 | |
| etcd | TCP | 2380 |
2.47. HAProxy
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| haproxy_stats | TCP | 1993 |
2.48. Neutron DHCP
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| neutron_DHCP | UDP | 67 | Provisioning the Overcloud |
| neutron_DHCP | UDP | 68 |
2.49. Heat CloudFormation API service
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| heat | TCP | 8000 | Heat AWS CloudFormation-compatible API |
| heat | TCP | 13800 | Heat AWS CloudFormation-compatible API (SSL) |
2.50. Heat AWS CloudWatch-compatible API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| heat | TCP | 8003 | Heat AWS CloudWatch-compatible API |
| heat | TCP | 13003 | Heat AWS CloudWatch-compatible API (SSL) |
2.51. L2GW Agent Input
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| neutron_l2gw_agent | TCP |
|
2.52. Heat API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| heat | TCP | 8004 | Heat API Endpoint |
| heat | TCP | 13004 | Heat API Endpoint (SSL) |
2.53. Neutron Nuage OVS Agent
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| neutron_vxlan | UDP | 4789 | VXLAN |
| neutron_vxlan | TCP |
| VXLAN |
2.54. Swift Proxy
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| swift | TCP | 8080 | Swift Proxy |
| swift | TCP | 13808 | Swift Proxy (SSL) |
2.55. Neutron OVS Agent
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| neutron_vxlan | UDP | 4789 | VXLAN |
| neutron_vxlan | GRE | GRE |
2.56. Swift Storage
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| swift | TCP | 873 | Rsync |
| swift | TCP | 6000 | Object Server |
| swift | TCP | 6001 | Container Server |
| swift | TCP | 6002 | Account Server |
2.57. Nova Libvirt
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| nova_libvirt | TCP | 16514 | |
| nova_libvirt | TCP | 49152-49215 | |
| nova_libvirt | TCP | 5900-6923 |
2.58. Nova Migration Target
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| nova_migration_target | TCP |
|
|
2.59. Nova Placement
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| nova_placement | TCP | 8778 | |
| nova_placement | TCP | 13778 |
2.60. Nova VNC Proxy
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| nova_vnc_proxy | TCP | 6080 | |
| nova_vnc_proxy | TCP | 13080 |
2.61. Octavia API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| octavia_api | TCP | 9876 | |
| octavia_api | TCP | 13876 |
2.62. OpenDaylight API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| opendaylight_api | TCP | 6640 | |
| opendaylight_api | TCP | 6653 | |
| opendaylight_api | TCP | 2550 | |
| opendaylight_api | TCP | 8185 |
2.63. OpenDaylight OVS Agent
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| opendaylight_ovs | UDP | 4789 | VXLAN |
| opendaylight_ovs | GRE | GRE |
2.64. OVN Controller
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| ovn_controller | UDP | 4789 | neutron vxlan networks |
| ovn_controller | UDP | 6081 | neutron geneve networks |
2.65. pacemaker
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| pacemaker | TCP | 2224 | |
| pacemaker | TCP | 3121 | |
| pacemaker | TCP | 21064 | |
| pacemaker | UDP | 5405 |
2.66. pacemaker remote
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| pacemaker | TCP | 3121 |
2.67. Panko API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| panko_api | TCP | 8977 | |
| panko_api | TCP | 13977 |
2.68. RabbitMQ
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| rabbitmq | TCP | 4369 | Rabbitmq |
| rabbitmq | TCP | 5672 | Rabbitmq |
| rabbitmq | TCP | 25672 | Rabbitmq |
2.69. Sahara API
| Service | Protocol | Ports | Notes |
|---|---|---|---|
| sahara | TCP | 8386 | Sahara API |
| sahara | TCP | 13386 | Sahara API (SSL) |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}