The comment implies that 32768-65535 are required for web servers to function, but I've had authoritative responses from them in the past which have later turned out to be wrong, so I want to confirm this assertion.ĭo either of nginx or sshd require the ephemeral ports to be open in order for them to perform their functions correctly, or does all activity always happen only on the ports they have been configured to use (eg, 80 and 443, and 22 respectively)? Would closing the ephemeral ports to traffic prevent services like apt from functioning correctly (which I believe usually uses HTTP on port 80 to interact with its sources)?Īdditionally, they have added the following two lines regarding DNS queries to the configuration: Source Destination Protocol Ports Service Action DescriptionĠ.0.0.0/0 192.168.0.0/16 TCP/UDP 53 DNS Allow Allows inbound DNS query from anywhereġ92.168.0.0/16 0.0.0.0/0 TCP/UDP 53 DNS Allow Allows outbound DNS queries to anywhere I was vaguely aware that some services use ephemeral ports for the actual worker connections after the initial request to the service's well-known port has been established, but I'm not sure which services actually need these ports to be open on the public interfaces of servers in order for those servers to function correctly. Unfortunately, the network layer is the one aspect of the OSI model about which I know very little. However, they have asked me to verify the final configuration they are going to apply and this includes the following lines: Source Destination Protocol Ports Service Action DescriptionĠ.0.0.0/0 192.168.0.0/-65535 Ephemeral Ports Allow Allows inbound return traffic from the Internetġ92.168.0.0/16 0.0.0.0/8-65535 Ephemeral Ports Allow Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet) I've already outlined the requirements for this part and it's been agreed between myself and the AWS team. The client's security policy is needfully restrictive as the servers will contain sensitive business data, so the network configuration needs to be locked down for incoming and outgoing connections from all servers as much as possible. I've been developing an application for a client which will run on a bunch of load-balanced AWS servers running Debian 7.5 which will only be accessible on port 80 for the application itself from all addresses, and port 22 for SSH from just our office and the office of the client's outsourced AWS management team. Anyway, now that's over, on to the actual question. I already have the main switch configuration finalised and ready to go back to the client, but they've asked me to verify the /entire/ config they're going to actually apply to the switches, not just the application-specific stuff, hence the question below. ![]() ![]() Preamble: So, before I actually ask the question, I'd like to point out that I'm somewhat apprehensive about posting this because even as I'm typing this out it it feels like I'm asking someone to just tell me the switch config I need, which isn't the case.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |