I plan to set the Secure Gateway Client at DMZ at on-premise environment, so I need to open Outbound ports for SG Client to connect to SG on Bluemix. The following question is similar to my question, but the answer doesn't show the needed ports.
For the Bluemix Secure Gateway service, how does the data center's network need to be configured?
For the Bluemix Secure Gateway service, how does the data center's network need to be configured?
The following Bluemix Doc shows Outbound 443 is needed.
https://www.ng.bluemix.net/docs/troubleshoot/SecureGateway/ts_index-gentopic1.html#ts_sg_006
What are the best practices for running the Secure Gateway client?
Before you install the Docker client into your environment, ensure that both the internet and your on-premises assets are accessible and all host names are resolvable by a DNS. The client uses outbound port 443 to connect to the IBM Bluemix environment, normally this port is open since its secure. Ensure you check or modify additional firewall and IP Table rules that might apply.
But, the tcpdump, which I got when I executed "docker run -it ibmcom/secure-gateway-client XXXX", showed that SG Client used Outbound 443 and 9000. Is it collect that all ports SG Client uses are Outbound 443 and 9000 ?
Correct, if you are closing down both outbound and inbound ports using your firewall, then for outbound allow ports 443/9000. So your initial assertion is correct.
Related
Security-wise, is it OK, that flanneld is listening on the public interface udp port 8472?
Normally kubernetes nodes live in the cloud, hidden behind dozens of firewalls, they mostly operate in their local virtual network and only expose ports to the public, if administrator approves them manually.
But here I have a bare-metal server which is directly connected to the internet and I'm not sure if I should add firewall rules to block connections from the outside (default fw policy is ACCEPT).
For instance, I've configured etcd3 to listen for client connections on 127.0.0.1, furthermore clients must authenticate themselves with tls certificates. However flannel doesn't seem to have any authentication/authorization mechanism.
I understand that flanneld operates in the Transport Layer. Therefore it has information from the previous.
So would it try drop any connection from the IPs, which are not in etcd?
For now my final intent is to create a single-node kubernetes “cluster”.
I'm trying to implement a web server on my pc, connected to router.
Since my PC is connected to router, It identifies private IP address, starting with
192.168...
However,it could not accept any clients that is not connected to the same router, even I specified tried with public IP address.
Is it possible to implement Web server that can be accept clients from anywhere with my PC connected to local router?
Or should I connect my web server directly to public IP directly without router?
It'll be pleasure to learn from your answers.
The problem may be, that your web server routing may not be configured correctly to your external IP, or your web server ports may be blocked, or another possibility is that your firewall is blocking your service connections outside the local network.
So, a solution to misconfiguration would be, to forward your port to your internal IP of the web server from your router menu.
And, for the case of firewall blocking, you may give special access to your web server through the firewall by setting inbound and outbound rules.
And if all that is correct then most probably your ISP(Internet Service Provider) is not allowing ports to be opened to you, maybe due to dynamic IP or service restrictions.
For the similar problem, you may refer to my answer to another post Here
What router do you have? go into the router using a web browser, mine is 192.168.0.1 with username and password as admin. or username admin, password blank.
Then set a dmz route or for port forwarding 80 to you own internal IP address.
I've got two applications, a client and a rest server on two different servers.
The server is in the DMZ, and the client is on a hosted server.
My entreprise IT department wants to have only ontgoing connexions to the hosted server so that the firewall only sees outgoing connections.
They sugsets to have the following architecture :
hosted dmz
Client <---------------> Server
Proxy server Proxy client
1) Proxy server opens a tcp socket
2) Proxy client connects to this tcp socket permanently
3) http requests can be forwarded from client app to rest server app through the tcp connection
Do you know any software that implements such an active proxy mechanism ? (eg apache, nginx...)
Is it more secure that just opening port 80 for the web hosted machine ?
Do you know any software that implements such an active proxy mechanism ?
There are a variety of solutions: from netcat (nc) to socks5. I suggest you to start with netcat, since it is much easier to understand and configure.
Is it more secure that just opening port 80 for the web hosted machine ?
Yes, it is more secure that just forwarding port 80 to DMZ, since you are punching a hole in firewall just for the specific flow.
On the other hand, adding an access list on top of 80 port forwarding should make it even, but there might be other issues, like corporate politics, hardware limitations etc...
My Setup
I have some services that register with Eureka. This registration info is used by Zuul to route requests to my services. Most of these services run on a port like 9999 or 8080. Each service is on it's own EC2 instance, and I have Nginx routing requests from port 80 to the server's port, so that I can keep my Security Group rules simple.
My Problem
When my service registers with Eureka, it gets registered with ${server.port}, which ends up being 8080 or 9999, etc. When Zuul attempts to route to {ec2host}:8080, it gets blocked by my Security Group rules. Based on the documentation, it looks like I should be able to specify a host and port with eureka.instance.hostname and eureka.instance.nonSecurePort. Whether I use those properties or not, my service registers with it's specific port.
Is there a way to get the Eureka client to register my service with port 80, instead of the server's port?
can a NodeJS application running on Bluemix make outside HTTP requests ? What address does the receiving end see ? There is a proxy that stops traffic from unknown servers on the other end, so we need to declare the origin IP. What is it for Bluemix ?
Any application running on IBM Bluemix can make outgoing HTTP requests (or any other outgoing TCP/UDP request).
Outgoing requests will come from the IP address of the DEA running the container with this application instance. If you have multiple instances, requests can come from any of these instances.
For details on the environment variables exposing these parameters, see this page:
http://docs.run.pivotal.io/devguide/deploy-apps/environment-variable.html
Yes a NodeJs application running on Bluemix can make outgoing requests.
The receiving end will see the IP address of the Bluemix gateway rather than the IP address of the DEA running the container. You can work out what the IP address is by doing a nslookup of your the app url, but the IP address(es) used is/are not currently documentation so could change.