Difference between revisions of "Integration with UCS/Firewall"

From Univention Wiki

Jump to: navigation, search
(Created page with "Category:App Center Developer Guide TBD")
 
Line 1: Line 1:
 
[[Category:App Center Developer Guide]]
 
[[Category:App Center Developer Guide]]
  
TBD
+
In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables.
 +
 
 +
= The Firewall for [[Docker Apps]] =
 +
 
 +
Docker Containers have access to the Docker Host and the outside world via these variables in the [[Meta files/ini|ini file]]:
 +
 
 +
<pre>
 +
PortsExclusive=9900
 +
PortsRedirection=9911:80
 +
</pre>
 +
 
 +
This will make port 9900 and port 80 of the Docker Container available on the Docker Host '''and for external clients'''. Port 80 inside the container is accessible as port 9911 outside!
 +
 
 +
;''Note'': This will also build up an implicit conflict list against other Apps that want to use these ports!
 +
 
 +
== Database ==
 +
 
 +
As described in [[Integration with UCS/Database]], the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file:
 +
 
 +
<pre>
 +
Database=mysql
 +
</pre>
 +
 
 +
== Web interface ==
 +
 
 +
A web interface on port, say, 8080, needs to be specified in the ini file:
 +
 
 +
<pre>
 +
WebInterfacePortHTTP=8080
 +
PortsExclusive=8080
 +
AutoModProxy=False
 +
</pre>
 +
 
 +
= Configuring the Firewall =
 +
 
 +
Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the [[Integration with UCS/Join|join script]]:
 +
 
 +
<pre>
 +
univention-config-registry set \
 +
security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \
 +
security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \
 +
security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \
 +
security/packetfilter/package/"$APP"/udp/6644/all/en="$APP"
 +
[ -x "/etc/init.d/univention-firewall" ] &&
 +
invoke-rc.d univention-firewall restart
 +
</pre>

Revision as of 14:48, 25 October 2016


In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables.

The Firewall for Docker Apps

Docker Containers have access to the Docker Host and the outside world via these variables in the ini file:

PortsExclusive=9900
PortsRedirection=9911:80

This will make port 9900 and port 80 of the Docker Container available on the Docker Host and for external clients. Port 80 inside the container is accessible as port 9911 outside!

Note
This will also build up an implicit conflict list against other Apps that want to use these ports!

Database

As described in Integration with UCS/Database, the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file:

Database=mysql

Web interface

A web interface on port, say, 8080, needs to be specified in the ini file:

WebInterfacePortHTTP=8080
PortsExclusive=8080
AutoModProxy=False

Configuring the Firewall

Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the join script:

univention-config-registry set \
	security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \
	security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \
	security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \
	security/packetfilter/package/"$APP"/udp/6644/all/en="$APP"
[ -x "/etc/init.d/univention-firewall" ] &&
	invoke-rc.d univention-firewall restart
Personal tools