Difference between revisions of "Integration with UCS/Firewall"
From Univention Wiki
Wiesenthal (talk | contribs) (Created page with "Category:App Center Developer Guide TBD") |
Wiesenthal (talk | contribs) |
||
| Line 1: | Line 1: | ||
[[Category:App Center Developer Guide]] | [[Category:App Center Developer Guide]] | ||
| − | + | In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables. | |
| + | |||
| + | = The Firewall for [[Docker Apps]] = | ||
| + | |||
| + | Docker Containers have access to the Docker Host and the outside world via these variables in the [[Meta files/ini|ini file]]: | ||
| + | |||
| + | <pre> | ||
| + | PortsExclusive=9900 | ||
| + | PortsRedirection=9911:80 | ||
| + | </pre> | ||
| + | |||
| + | This will make port 9900 and port 80 of the Docker Container available on the Docker Host '''and for external clients'''. Port 80 inside the container is accessible as port 9911 outside! | ||
| + | |||
| + | ;''Note'': This will also build up an implicit conflict list against other Apps that want to use these ports! | ||
| + | |||
| + | == Database == | ||
| + | |||
| + | As described in [[Integration with UCS/Database]], the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file: | ||
| + | |||
| + | <pre> | ||
| + | Database=mysql | ||
| + | </pre> | ||
| + | |||
| + | == Web interface == | ||
| + | |||
| + | A web interface on port, say, 8080, needs to be specified in the ini file: | ||
| + | |||
| + | <pre> | ||
| + | WebInterfacePortHTTP=8080 | ||
| + | PortsExclusive=8080 | ||
| + | AutoModProxy=False | ||
| + | </pre> | ||
| + | |||
| + | = Configuring the Firewall = | ||
| + | |||
| + | Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the [[Integration with UCS/Join|join script]]: | ||
| + | |||
| + | <pre> | ||
| + | univention-config-registry set \ | ||
| + | security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \ | ||
| + | security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \ | ||
| + | security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \ | ||
| + | security/packetfilter/package/"$APP"/udp/6644/all/en="$APP" | ||
| + | [ -x "/etc/init.d/univention-firewall" ] && | ||
| + | invoke-rc.d univention-firewall restart | ||
| + | </pre> | ||
Revision as of 14:48, 25 October 2016
In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables.
The Firewall for Docker Apps
Docker Containers have access to the Docker Host and the outside world via these variables in the ini file:
PortsExclusive=9900 PortsRedirection=9911:80
This will make port 9900 and port 80 of the Docker Container available on the Docker Host and for external clients. Port 80 inside the container is accessible as port 9911 outside!
- Note
- This will also build up an implicit conflict list against other Apps that want to use these ports!
Database
As described in Integration with UCS/Database, the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file:
Database=mysql
Web interface
A web interface on port, say, 8080, needs to be specified in the ini file:
WebInterfacePortHTTP=8080 PortsExclusive=8080 AutoModProxy=False
Configuring the Firewall
Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the join script:
univention-config-registry set \ security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \ security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \ security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \ security/packetfilter/package/"$APP"/udp/6644/all/en="$APP" [ -x "/etc/init.d/univention-firewall" ] && invoke-rc.d univention-firewall restart
