I'm having some trouble determining which ports my servers need open to communicate and what ports client servers and users will need. The last documentation that I was able to find was included in Fedora 15 (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html). I opened those ports with firewalld, but I encountered errors when joining my replica server. (I retried the replica install with firewalld, and it succeeded, so it's clearly a problem with the firewall settings.)
I'm joining the wave of the future, so please excuse the firewalld XML, but it should be pretty obvsious. All of the services are built into firewalld, except "dogtag", which I made myself and is defined at the end. <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="http"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="https"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="dogtag"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="dns"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="kerberos"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="kpasswd"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ldap"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ldaps"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ntp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept/> </rule> Services dns, kerberos, and kpasswd are TCP+UDP. Service ntp is UDP only. The others are TCP only. ========= services/dogtag.xml: <?xml version="1.0" encoding="utf-8"?> <service> <port protocol="tcp" port="9180"/> <port protocol="tcp" port="9443"/> <port protocol="tcp" port="9444"/> <port protocol="tcp" port="9445"/> <port protocol="tcp" port="9446"/> <port protocol="tcp" port="9701"/> <port protocol="tcp" port="7389"/> </service> ========= On a side note, it would be nice if the firewalld packagers included a freeipa-server service (nudge nudge). Thanks, Justin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users