Micro Focus Filr: Firewall settings for reverse proxy and other scenarios need to be enhanced and allow only specify source addresses

In case of reverse proxy scenarios / ssl offload scenarios it is useful to block any access to filr ports from other source addresses than from the reverse proxy.
(do not allow to access clear text port 80/8080 from other sources than from the reverse proxy addresses)
This is not possible in an officially supported way.

Same requirement for firewall security is true for memcache, lucene, mysql ports...

Memcache, lucene and mysql should only be reachable from the ip addresses of the filr frontends!

The firewall configuration on :9443 should allow detailed configuration from which source address access to which port should be allowed. The default should be specified for the internal filr communication processes only.

On some of the latest deployments we have also realized that port 7777 is configured to be open in "/etc/sysconfig/SuSEfirewall2" but it is not listed in the firewall configuration at :9443 and it is also not documented.

Benefit: higher security.

by: Martin W. | over a year ago | Administration

Micro Focus Enhancement Requests Portal is moving. We are migrating the IDEAS from this site to the New Idea Exchange on May 6th. For more information on the new Idea Exchange please visit the Community FAQs.

4

Firewall settings for reverse proxy and other scenarios need to be enhanced and allow only specify source addresses

Comments