Cool Solutions

Imaging within subnet with firewall on ZENworks Linux Primary Server enabled

Arun Prakash Jana

By:

May 19, 2015 9:07 am

Reads:1,997

Comments:0

Score:Unrated

Print/PDF

Setting up firewall on a Linux Primary Server to allow all ZENworks Imaging traffic may be tricky as some of these services use dynamic ports. This article explains the firewall configuration required on a primary server for using ZENworks Imaging services. Each service and the ports it needs are explained first. A sample configuration for a SLES 11 SP3 primary server follows. If you are using any other OS for the server you might have to adapt the rules accordingly.

Note that the rules apply to Imaging operations within the same subnet with the server and client reachable from each other in a single hop i.e. directly connected over a single switch or hub. Server and client in different networks might need additional configuration which is not covered in this article.

Ports used by ZENworks Imaging Services

  • Novell ZENworks Imaging Service
    TCP port 998 for communicating with Imaging client devices.
    TCP port 443 to fetch licensing related information.
  • Novell Proxy DHCP Daemon
    UDP port 67 when DHCP server is not running on the same device.
    UDP port 4011 if DHCP server is also running on the same device.
    Port 67 (bootps) for broadcast packets.
  • Novell TFTP Daemon
    UDP port 69 to communicate with clients.
  • Novell ZENworks Preboot Policy Daemon
    UDP port 13331 to communicate with client devices during PXE boot.
    Requires allowing packets from client devices originating from (source port) UDP port 12050.
  • Multicast Imaging Service
    Requires allowing packets from client devices originating from (source ports) UDP ports 997 and 999.

Sample configuration for SLES 11 SP3

Open /etc/sysconfig/SuSEfirewall2 and add (or append) the ports for Imaging services in the corresponding settings:

FW_SERVICES_EXT_TCP="443 998"
FW_SERVICES_EXT_UDP="67 69 4011 13331"
FW_SERVICES_ACCEPT_EXT="0/0,udp,,997 0/0,udp,,999 0/0,udp,,12050"
FW_ALLOW_FW_BROADCAST_EXT="bootps"

In iptables lingo

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 998 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4011 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 13331 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 12050 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 997 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 999 -j ACCEPT
iptables -A INPUT -p udp -m pkttype --pkt-type broadcast -m udp --dport 67 -j ACCEPT
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags:
Categories: Technical, ZENworks Configuration Management

0

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS