Provide basic FW rules to allow only SSH/HTTPS inbound #16
Comments
|
From @dejonghb on June 24, 2016 9:35 Nice to have but more part of the linux OS setup itself, I think. We do need to provide guidelines on what ports are used, but adding/changing firewall setups on the nodes feels as not our job and might even break things that are already in place... Of course, there's no excuse for just putting systems wide open on the internet; that's something else. |
|
@jtorreke please provide list of ports and suggested firewall rules in the documentation (https://github.com/openvstorage/ovs-documentation -> essentials). |
|
From @khenderick on July 1, 2016 9:27 Like @dejonghb suggested, I think firewalling should be something the customer/user running OVS should take care of, but we should indeed document it and urge the customer/user to do this. The API does already have rate limiting build-in. It's already implemented for the authentication (as per RFC) and is also implemented for some other calls. It very easy to add limits to individual calls. |
From @pploegaert on June 24, 2016 9:1
Only allow:
Inbound from public IPs:
Allow all between grid members
Drop all other port connection attempts
Provide this as a separate action on the ovs.sh script
To be run when your setup is complete
E.g.
ovs lockdown {optional node ip}
Copied from original issue: openvstorage/framework#663
The text was updated successfully, but these errors were encountered: