What open ports are required on firewall to allow for salt-stack remote execution? - McMap

About

What open ports are required on firewall to allow for salt-stack remote execution?

Asked 5/6, 2015 at 16:30 Answered 6/6, 2015 at 18:36

Solved zeromq firewall network-protocols salt-project

D

1

6

The documentation on saltstack appears to be unclear regarding what ports are required from the salt-master -> salt-minion (apparently none are required). It suggests that ports only need to be opened from the salt-minion -> salt-master. (See: http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html)

If however commands are executed remotely on the salt-master targeted to a minion, surely the master needs to be able to push this into the minion and therefore require a network opening to allow for this.

Therefore my question is if the saltstack ports (4505 & 4506) need to be opened in both directions, or whether the remote commands are triggered over another protocol?

[A bit of background: My team want salt-stack setup to manage a server landscape in quite a restrictive network where each individual network route needs to be requested in the security concept. This is not controlled by our company and I need to explicitly request all required routes and in each direction.]

Disqualify answered 5/6, 2015 at 16:30 Comment(0)

I

9

Salt uses a zeromq pub/sub interface to communicate with the minions. Indeed, you only need to open ports 4505 and 4506 on the master's firewall.

The minions listen on one port on the master, which is the "pub" port, and then return results to the master on the other port.

The master never actually "pushes" commands to the minions. The minions listen for commands published on the pub port. Which is why you don't need to open any incoming ports on your minions.

Ido answered 6/6, 2015 at 18:36 Comment(2)

Just a comment. From firewall level of view, there is no zeromq pub/sub interface. There are only ports with incoming or outgoing packets. If only master opens its ports, it technically means that only master can possibly listen for incoming connections (to reply back to minions over established connection). So, there is also no such thing as listening minions (as they cannot possibly work that way because their ports are closed on firewall). – Melbamelborn 17/6, 2015 at 16:43

This seems to assume that the default outgoing policy is to allow all traffic, but that is not true for all environments. Some environment set the default outgoing policy on their clients to drop, so you would have to allow outgoing traffic on the minions to ports 4505 and 4506 on the master. – Ashtonashtonunderlyne 13/11, 2021 at 8:20

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.