Hi,
On Mon, Feb 26, 2024 at 5:03 PM Zdravko Nikolaev via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Hello everyone,
>
> I've looked up old threads and tried to find some applicable solution but
> I'm kind of stuck so any advice would be appreciated.
>
> I'm trying to deploy a new Freeipa installation, currently running on
> centos9 stream. I'm using iptables for firewall and I have allowed only
> certain IPs and ports. My idea was to block port 80 and 443 for the whole
> world and allow only certain IPs via the httpd config file by adding
> "Require IP 1.1.1.1"(example ip) inside the <Directory "/var/www"> and
> <Directory "/var/www/html"> blocks. That worked and I'm able to access the
> main page from that IP while other IPs are not loading at all, however,
> when I try to login, the authentication process is not going through.
>
> Example log of fail:
> [remote 1.1.1.1:60676] ipa: INFO: 401 Unauthorized:
> HTTPConnectionPool(host='test.com', port=80): Max retries exceeded with
> url: /ipa/session/cookie (Caused by
> NewConnectionError('<urllib3.connection.HTTPConnection object at
> 0x7ffb12100d60>: Failed to establish a new connection: [Errno 110]
> Connection timed out'))
>
> For the iptables I have a script inputing the rules which looks like this:
> /sbin/iptables -F
> /sbin/iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -s 1.1.1.1 -j ACCEPT
> iptables -A INPUT -p tcp --dport 389 -j ACCEPT
> iptables -A INPUT -p udp --dport 389 -j ACCEPT
> iptables -A INPUT -p tcp --dport 636 -j ACCEPT
> iptables -A INPUT -p tcp --dport 88 -j ACCEPT
> iptables -A INPUT -p udp --dport 88 -j ACCEPT
> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -j DROP
> /sbin/iptables-save
>
> The question is, how to keep port 80 and 443 (the web access in general)
> restricted only to certain IPs and not the whole world, while still being
> able to use all functionalities of the freeipa server, like logging in and
> working with the graphical UI?
> *I have installed our own verified ssl certificate
>
> Also for the ports, do I need to have 389,636 and 88 opened all the time
> and how secure the services behind those ports are?
>
The installation guide lists all the required ports in the section Port
requirements for IdM
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation>.
All the ports listed there are mandatory.
Regarding security, the note in the same chapter also explains the
following:
----- 8< -----
IdM uses ports 80 and 389. This is a secure practice because of the
following safeguards:
- IdM normally redirects requests that arrive on port 80 to port 443.
Port 80 (HTTP) is only used to provide Online Certificate Status Protocol
(OCSP) responses and Certificate Revocation Lists (CRL). Both are digitally
signed and therefore secured against man-in-the-middle attacks.
- Port 389 (LDAP) uses STARTTLS and Generic Security Services API
(GSSAPI) for encryption.
----- 8< -----
HTH,
flo
>
> Any input would be appreciated.
> Thank you
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
