Firewall Policy and OpenNMS

From OpenNMS
Jump to: navigation, search

Description

This document is meant to be a fairly exhaustive list of the TCP and UDP ports and ICMP messages used by a new installation of OpenNMS. Note that in environments that make heavy use of OpenNMS, many more ports may be in use than the ones listed here. In other environments, the ports actually in use may be a very small subset of those listed. This document is not a substitute for traffic analysis or tedious meetings, though it is hoped that having this document in hand will shorten some of those meetings. OpenNMS can be applied in many different ways and is extremely configurable; collaboration between OpenNMS administrators and firewall administrators is crucial to effective management of resources in a network that includes firewalls.

Column Legend

Description 
A short name of the application described
Port / Type 
The numeric port (TCP and UDP) or message type (ICMP) described
Outbound? 
Whether connections initiated by the OpenNMS server and bound for managed nodes need to be allowed
Inbound? 
Whetner connections initiated by managed nodes and bound for the OpenNMS server need to be allowed
Stateful? 
Whether the firewall rule allowing this type of traffic should typically be configured to be "stateful" or to "keep state"
Core? 
Whether disallowing the traffic described is likely to have a negative impact on the core functionality of a "typical" OpenNMS installation; think three times before dropping or rejecting these types of traffic
Comments 
Notes on the traffic described

UDP Ports

Description Port Outbound? Inbound? Stateful? Core? Comments
DNS 53 Yes No Yes Yes Used by the DnsMonitor for service polling of DNS name servers; required only for those servers on which the DNS service is monitored. Also used for normal name resolution by some monitor classes.
SNMP 161 Yes No Yes Yes Used for performance data collection. May also be used for some types of service polling. Normally should be allowed to all managed nodes.
SNMP Trap 162 No Yes No* Yes Traps are unsolicited messages from an agent to a manager. Normally should be allowed from all managed nodes. *See also SNMP Inform.
SNMP Inform 162 No Yes Yes Yes Informs use the same port as traps, but are less ubiquitous. Informs require stateful rules since the manager must reply with an acknowledgement of receipt.
Syslog 514 No* Yes No Yes Inbound needed only if OpenNMS Syslogd is enabled for creating events from syslog messages. Outbound needed only to select hosts if sending OpenNMS notifications via syslog.

TCP Ports

Description Port Outbound? Inbound? Stateful? Core? Comments
FTP 21 Yes No Yes No Used by FtpMonitor for service monitoring. Need be allowed only to designated FTP servers managed by OpenNMS.
SSH 22 Yes No Yes No Used by SshMonitor for service monitoring.
Telnet 23 Yes No Yes No Typically not polled by OpenNMS as legacy devices that support telnet are often fragile.
SMTP 25 Yes No Yes Yes Used by SmtpMonitor and MailTransportMonitor for service monitoring; need only be allowed to SMTP servers; used by Notifd for e-mail delivery of notifications, normally via a smart SMTP relay
HTTP 80 Yes Sometimes Yes Sometimes Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is commonly served on this port.
POP3 110 Yes No Yes No Used by Pop3Monitor and MailTransportMonitor for service monitoring; need only be allowed to POP3 servers.
IMAP 143 Yes No Yes No Used by ImapMonitor and MailTransportMonitor for service monitoring; need only be allowed to IMAP servers.
HTTPS 443 Yes Sometimes Yes Sometimes Used by HttpsMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is sometimes served on this port.
RMI 1099 Yes Yes Yes Yes Used by remote location pollers (which may run on servers or desktops throughout a network and on the Internet) to register themselves to the OpenNMS server; used by the Jsr160Collector (JMX) to connect to monitored Java application servers for performance data collection.
RMI 1199 No Yes Yes Yes Used by Remote Poller Backend for communications with running remote monitors, which may be located anywhere on the network.
NSClient 1248 Yes No Yes Yes Nagios agent. Sometimes used for performance data collection and service polling on managed Windows systems.
OpenManage 1311 Yes No Yes No Used to discover Dell OpenManage agent on managed nodes. Usually only discovered, not monitored.
TDS/MSSQL 1433 Yes No Yes No Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to MS SQL Server database servers.
Oracle 1521 Yes No Yes No Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to Oracle database servers.
HPQIM 2381 Yes No Yes No Used to discover HP Insight Manager agent on managed nodes. Usually only discovered, not monitored.
Hyperic Agent 2144 Yes No Yes No Used to detect the Hyperic management agent on managed systems. Typically needed only in environments using both OpenNMS and Hyperic HQ.
MySQL 3306 Yes No Yes No Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to MySQL database servers.
PostgreSQL 5432 Yes Sometimes Yes Yes Used by OpenNMS to communicate with its own database. Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. May be used by external applications to query data from the OpenNMS database.
NRPE 5666 Yes No Yes Yes Nagios Remote Plugin Execution agent. Sometimes used by NrpeMonitor for service polling.
EventD 5817 Sometimes Sometimes Sometimes Yes OpenNMS' Eventd TCP listener binds to this port. In a single-node installation of OpenNMS, this traffic is normally confined to the loopback interface. In a multi-node installation or an environment with multiple single-node OpenNMS installations, on-network traffic on this port is used to transport events among OpenNMS servers. In some environments with custom integrations, certain external systems may need to connect to this port on the OpenNMS server.
Hyperic HQ 7080 Yes No Yes Yes Used to communicate with Hyperic HQ server, need only be allowed to HQ servers. Typically needed only in environments using both OpenNMS and Hyperic HQ.
HTTP 8000 Yes No Yes No Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form.
HTTP 8080 Yes No Yes Sometimes Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is served on this port (or port 8180) by default in releases prior to 1.3.7.
HTTP 8180 Yes No Sometimes Sometimes Default port for Tomcat on Debian and Ubuntu servers. Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is served on this port by default on Debian and Ubuntu systems in releases prior to 1.3.7.
HTTPS 8443 No Yes Yes Sometimes The OpenNMS web UI is sometimes served on this port via HTTPS.
HTTP 8980 No Yes Yes Yes The OpenNMS web UI is served on this port by default since release 1.3.7.
NSClient++ 12489 Yes No Yes Yes Nagios agent. Sometimes used for performance data collection and service polling on managed Windows systems.

ICMP Messages

Description Type Outbound? Inbound? Stateful? Comments
Echo request (ping) 8 Yes Usually Yes Stateful rules should allow echo reply messages in reverse direction. It's a good idea to allow everyone to ping the OpenNMS server.
Echo reply (pong) 0 No Yes No Normally implicitly allowed by stateful rules for echo-request
Destination unreachable 3 Usually Yes N/A Allowing destination-unreachable messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.
Source quench 4 Usually Yes N/A Allowing source-quench messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.
Time exceeded 11 Usually Yes N/A Allowing time-exceeded messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.