Custom firewall rules - BlueCat Address Manager - 9.4.0

Address Manager Administration Guide

Locale
English (United States)
Product name
BlueCat Address Manager
Version
9.4.0

When you enable the service point service on a DNS/DHCP Server, several custom firewall rules are added to the PSM chains. Additional rules are added to the PREROUTING, DOCKER and OUTPUT chains. A SERVICE-POINT chain is added to ensure service point functionality and that incoming DNS queries targeting the Service Point IPv4 address are processed by the service point.
Attention:
  • Once you enable the service point, preexisting custom firewall rules are removed from the PSM chains. You can readd the preexisting custom firewall rules but you must ensure that they do not conflict with the custom firewall rules created when you enable the service point.
  • If you disable the service point, the preexisting custom firewall rules are restored.
Important: In Address Manager v9.2.0, connection tracking is disabled by default, however, once you enable the service point service, connection tracking is automatically enabled. Connection tracking must be enabled for the service point service to function properly. Do not manually disable connection tracking after configuring the service point.
The following custom firewall rules are added:
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT --out-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT --in-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -o lo -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 80 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 80 -j ACCEPT"
Important: Port 80 is open to allow you to probe the service point diagnostics. If you do not wish to leverage the diagnostics, you can disable port 80 by running the following commands:
  1. Run the following command:
    custom_fw_rules--export-rules fw.txt
  2. Modify the fw.txt file by removing the two rules emloying port 80.
  3. Run the following command:
    custom_fw_rules--import-rules fw.txt