When you enable the service point service on a DNS/DHCP Server, several custom
firewall rules are added to the PSM chains. Additional rules are added to the
PREROUTING, DOCKER and OUTPUT chains. A SERVICE-POINT chain is added to ensure
service point functionality and that incoming DNS queries targeting the Service
Point IPv4 address are processed by the service point.
Attention:
- Once you enable the service point, preexisting custom firewall rules are removed from the PSM chains. You can readd the preexisting custom firewall rules but you must ensure that they do not conflict with the custom firewall rules created when you enable the service point.
- If you disable the service point, the preexisting custom firewall rules are restored.
Important: In Address Manager v9.2.0, connection tracking is disabled by
default, however, once you enable the service point service, connection tracking is
automatically enabled. Connection tracking must be enabled for the service
point service to function properly. Do not manually disable connection
tracking after configuring the service point.
The following custom firewall rules are
added:
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT --out-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT --in-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -o lo -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 80 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 80 -j ACCEPT"
Important: Port 80 is open to allow you to probe the service point
diagnostics. If you do not wish to leverage the diagnostics, you can disable
port 80 by running the following commands: