Here are general principles for firewall configuration.
- Only allow public access to very few ports, like http(80), https(443), etc.
- For sshd(22), only selective source ip can connect.
- For DB ports, like mysql(3306), elasticsearch(9200), we don’t expose them directly. Key members can connect through ssh protocol by ssh tunnel.
- For traffic within the cluster, the default policy is always accept. If we can configure them with more limited privilege, that’s nice but not always pratical. Developers are usually too busy to list all traffic rules correctly and precisely. Even if they do, the rules will change constantly from time to time.
Our first step is listing all TCP ports which are open to the world. If some are against above principles, we raise an alert. Here we can use Nmap, network mapper. It is an open source tool for network exploration and security auditing.
1: # Install Nmap package
2: sudo apt-get install nmap
3: # Scan all TCP ports for a given host
4: sudo nmap -sS -PN 192.168.0.164
5: # === Run: sudo nmap -sS -PN 192.168.0.164
7: # Starting Nmap 6.40 ( http://nmap.org )
8: # Nmap scan report for 192.168.0.164
9: # Host is up (0.00051s latency).
10: # Not shown: 997 filtered ports
11: # PORT STATE SERVICE
12: # 22/tcp open ssh
13: # 80/tcp open http
14: # 443/tcp open https
In this post, we won’t introduce the detail usage of Nmap, which is definitely a versatile tool. We want to run the check as fast as possible. Thus we use TCP SYN(-sS) to test. And skip host discovery (-PN), assuming the sever is up.
By default Nmap scans the top 1000 most popular ports, according to the statistics generated from Internet-wide scans and large internal network scans from the summer of 2008. We may have some extra ports to scan. Here is how:
# Check certain TCP ports
sudo nmap -p T:9200-9500,8090-8100 \