2.3. Firewalls
2.3.1. Red Hat Enterprise Virtualization Manager Firewall Requirements
The Red Hat Enterprise Virtualization Manager requires that a number of ports be opened to allow network traffic through the system's firewall. The
engine-setup script can configure the firewall automatically, but this overwrites any pre-existing firewall configuration.
Where an existing firewall configuration exists, you must manually insert the firewall rules required by the Manager instead. The
engine-setup command saves a list of the iptables rules required in the /usr/share/ovirt-engine/conf/iptables.example file.
The firewall configuration documented here assumes a default configuration. Where non-default HTTP and HTTPS ports are chosen during installation, adjust the firewall rules to allow network traffic on the ports that were selected - not the default ports (
80 and 443) listed here.
| Port(s) | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| - | ICMP |
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Manager
| When registering to the Red Hat Enterprise Virtualization Manager, virtualization hosts send an ICMP ping request to the Manager to confirm that it is online. |
| 22 | TCP |
System(s) used for maintenance of the Manager including backend configuration, and software upgrades.
|
Red Hat Enterprise Virtualization Manager
|
Secure Shell (SSH) access.
Optional.
|
| 2222 | TCP |
Clients accessing virtual machine serial consoles.
|
Red Hat Enterprise Virtualization Manager
|
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
|
| 80, 443 | TCP |
Administration Portal clients
User Portal clients
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Enterprise Linux host(s)
REST API clients
|
Red Hat Enterprise Virtualization Manager
|
Provides HTTP and HTTPS access to the Manager.
|
| 6100 | TCP |
Administration Portal clients
User Portal clients
|
Red Hat Enterprise Virtualization Manager
|
Provides websocket proxy access for web-based console clients (
noVNC and spice-html5) when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used.
|
| 7410 | UDP |
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Manager
| Must be open for the Manager to receive Kdump notifications. |
Important
In environments where the Red Hat Enterprise Virtualization Manager is also required to export NFS storage, such as an ISO Storage Domain, additional ports must be allowed through the firewall. Grant firewall exceptions for the ports applicable to the version of NFS in use:
NFSv4
- TCP port
2049for NFS.
NFSv3
- TCP and UDP port
2049for NFS. - TCP and UDP port
111(rpcbind/sunrpc). - TCP and UDP port specified with
MOUNTD_PORT="port" - TCP and UDP port specified with
STATD_PORT="port" - TCP port specified with
LOCKD_TCPPORT="port" - UDP port specified with
LOCKD_UDPPORT="port"
The
MOUNTD_PORT, STATD_PORT, LOCKD_TCPPORT, and LOCKD_UDPPORT ports are configured in the /etc/sysconfig/nfs file.
2.3.2. Hypervisor Firewall Requirements
Hypervisor hosts require a number of ports to be opened to allow network traffic through the system's firewall. In the case of the Red Hat Enterprise Virtualization Hypervisor and Red Hat Virtualization Host, these firewall rules are configured automatically. For Red Hat Enterprise Linux hosts however it is necessary to manually configure the firewall.
| Port(s) | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| 22 | TCP |
Red Hat Enterprise Virtualization Manager
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Secure Shell (SSH) access.
Optional.
|
| 2223 | TCP |
Red Hat Enterprise Virtualization Manager
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Secure Shell (SSH) access to enable connection to virtual machine serial consoles.
|
| 161 | UDP |
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Manager
|
Simple network management protocol (SNMP). Only required if you want Simple Network Management Protocol traps sent from the hypervisor to one or more external SNMP managers.
Optional.
|
| 5900 - 6923 | TCP |
Administration Portal clients
User Portal clients
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.
|
| 5989 | TCP, UDP |
Common Information Model Object Manager (CIMOM)
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the hypervisor. Only required if you want to use a CIMOM to monitor the virtual machines in your virtualization environment.
Optional.
|
| 16514 | TCP |
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Virtual machine migration using
libvirt.
|
| 49152 - 49216 | TCP |
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Virtual machine migration and fencing using VDSM. These ports must be open facilitate both automated and manually initiated migration of virtual machines.
|
| 54321 | TCP |
Red Hat Enterprise Virtualization Manager
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
Red Hat Enterprise Virtualization Hypervisor(s)
Red Hat Virtualization Host(s)
Red Hat Enterprise Linux host(s)
|
VDSM communications with the Manager and other virtualization hosts.
|
2.3.3. Directory Server Firewall Requirements
Red Hat Enterprise Virtualization requires a directory server to support user authentication. A number of ports must be opened in the directory server's firewall to support GSS-API authentication as used by the Red Hat Enterprise Virtualization Manager.
| Port(s) | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| 88, 464 | TCP, UDP |
Red Hat Enterprise Virtualization Manager
|
Directory server
| Kerberos authentication. |
| 389, 636 | TCP |
Red Hat Enterprise Virtualization Manager
|
Directory server
| Lightweight Directory Access Protocol (LDAP) and LDAP over SSL. |
2.3.4. Database Server Firewall Requirements
Red Hat Enterprise Virtualization supports the use of a remote database server. If you plan to use a remote database server with Red Hat Enterprise Virtualization then you must ensure that the remote database server allows connections from the Manager.
| Port(s) | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| 5432 | TCP, UDP |
Red Hat Enterprise Virtualization Manager
|
PostgreSQL database server
| Default port for PostgreSQL database connections. |
If you plan to use a local database server on the Manager itself, which is the default option provided during installation, then no additional firewall rules are required.
