Firewall Setup

You'll need to ensure the [ComTech] firewalls are configured to allow communication between your hosts and the CSI Build system.

You’ll need to ensure that hosts can reach the installation and configuration management servers. Usually, this only must be done once per VLAN/Firewall context.

We keep track of what foreman subnets are known to work with Foreman under the Infrastructure -> Subnets | Parameters menu.

Requesting Firewall Rules

ComTech has a web form, ComTech Firewall Request Tool the for requesting firewall changes. You must be an identified Lan Administrator to make such a request.

Determine your SOURCE

It is a good practice to request rules be made subnet to subnet as opposed to making rules for individual hosts. It is often the case that host IP’s change, or additional hosts are required.

To determine the CIDR format for your subnet, do the following:

  • Login to Infoblox/Hostreg
  • Search for an IP address in your subnet (upper right hand corner)
  • Just below the navigation tabs at the top of the screen, you will see a trail of “breadcrumbs” Your CIDR is the just before the IP address for which you just searched.
Infoblox CIDR
Example Screenshot of Infoblox, with CIDR of network highlighted

The destination subnets are fixed.

The Foreman/Puppet servers are located in VLAN 2142, so always use 152.7.106.0/23 as your destination network.

The ports

Once you’ve filed in the source and destination in the firewall tool, You’ll need to “add” the following three entries

Puppet uses TCP port 8140 to communicate with it’s agents, and Foreman needs to deliver configuration information on both the http:// and https:// ports.

Protocol Port Range Buisness Justification
TCP 80 Kickstart Configuration
TCP 443 Kickstart Configuration
TCP 8140 Puppet Master

You can use the following as a template to make your requests via the ComTech Firewall Request Tool

Firewall Tool Screenshot

Ports for PXE

If you are installing hosts with PXE, you need to ensure that the foreman server, as well as the TFTP hosts holding the boot files, are accessible.

The tftp servers currently reside in VLAN 30, though they are scheduled to move to a firewalled VLAN. Be sure that you don’t have any blocks stoping tftp on udp/69

It is extremely rare for a subnet on campus to not be properly configured for PXE booting.

Ports for Foreman “Smart Proxies”

If you are establishing a Foreman “smart proxy” in one of your networks, you will need to allow tcp/8443 from our servers in 152.7.106.0/23 (source) to your network (destination)

Note that this is in addition to the rules above, and that the source and destination networks are reversed.

Tags: firewall
Edit me