Integration with UCS/Firewall

From Univention Wiki

Jump to: navigation, search


In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables.

The Firewall for Docker Apps

Docker Containers have access to the Docker Host and the outside world via these variables in the ini file:

PortsExclusive=9900
PortsRedirection=9911:80

This will make port 9900 and port 80 of the Docker Container available on the Docker Host and for external clients. Port 80 inside the container is accessible as port 9911 outside!

Note
This will also build up an implicit conflict list against other Apps that want to use these ports!

Database

As described in Integration with UCS/Database, the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file.

Web interface

A web interface on port, say, 8080, needs to be specified in the ini file:

WebInterfacePortHTTP=8080
PortsExclusive=8080
AutoModProxy=False

Configuring the Firewall

Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the join script:

univention-config-registry set \
	security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \
	security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \
	security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \
	security/packetfilter/package/"$APP"/udp/6644/all/en="$APP"
[ -x "/etc/init.d/univention-firewall" ] &&
	invoke-rc.d univention-firewall restart
Personal tools