Description
This document is meant to be a fairly exhaustive list of the TCP and UDP ports and ICMP messages used by a new installation of OpenNMS. Note that in environments that make heavy use of OpenNMS, many more ports may be in use than the ones listed here. In other environments, the ports actually in use may be a very small subset of those listed. This document is not a substitute for traffic analysis or tedious meetings, though it is hoped that having this document in hand will shorten some of those meetings. OpenNMS can be applied in many different ways and is extremely configurable; collaboration between OpenNMS administrators and firewall administrators is crucial to effective management of resources in a network that includes firewalls.
Column Legend
- Description
- A short name of the application described
- Port / Type
- The numeric port (TCP and UDP) or message type (ICMP) described
- Outbound?
- Whether connections initiated by the OpenNMS server and bound for managed nodes need to be allowed
- Inbound?
- Whetner connections initiated by managed nodes and bound for the OpenNMS server need to be allowed
- Stateful?
- Whether the firewall rule allowing this type of traffic should typically be configured to be "stateful" or to "keep state"
- Core?
- Whether disallowing the traffic described is likely to have a negative impact on the core functionality of a "typical" OpenNMS installation; think three times before dropping or rejecting these types of traffic
- Comments
- Notes on the traffic described
UDP Ports
| Description |
Port |
Outbound? |
Inbound? |
Stateful? |
Core? |
Comments
|
| DNS |
53 |
Yes |
No |
Yes |
Yes |
Used by the DnsMonitor for service polling of DNS name servers; required only for those servers on which the DNS service is monitored. Also used for normal name resolution by some monitor classes.
|
| SNMP |
161 |
Yes |
No |
Yes |
Yes |
Used for performance data collection. May also be used for some types of service polling. Normally should be allowed to all managed nodes.
|
| SNMP Trap |
162 |
No |
Yes |
No* |
Yes |
Traps are unsolicited messages from an agent to a manager. Normally should be allowed from all managed nodes. *See also SNMP Inform.
|
| SNMP Inform |
162 |
No |
Yes |
Yes |
Yes |
Informs use the same port as traps, but are less ubiquitous. Informs require stateful rules since the manager must reply with an acknowledgement of receipt.
|
| Syslog |
514 |
No* |
Yes |
No |
Yes |
Inbound needed only if OpenNMS Syslogd is enabled for creating events from syslog messages. Outbound needed only to select hosts if sending OpenNMS notifications via syslog.
|
TCP Ports
| Description |
Port |
Outbound? |
Inbound? |
Stateful? |
Core? |
Comments
|
| FTP |
21 |
Yes |
No |
Yes |
No |
Used by FtpMonitor for service monitoring. Need be allowed only to designated FTP servers managed by OpenNMS.
|
| SSH |
22 |
Yes |
No |
Yes |
No |
Used by SshMonitor for service monitoring.
|
| Telnet |
23 |
Yes |
No |
Yes |
No |
Typically not polled by OpenNMS as legacy devices that support telnet are often fragile.
|
| SMTP |
25 |
Yes |
No |
Yes |
Yes |
Used by SmtpMonitor and MailTransportMonitor for service monitoring; need only be allowed to SMTP servers; used by Notifd for e-mail delivery of notifications, normally via a smart SMTP relay
|
| HTTP |
80 |
Yes |
Sometimes |
Yes |
Sometimes |
Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is commonly served on this port.
|
| POP3 |
110 |
Yes |
No |
Yes |
No |
Used by Pop3Monitor and MailTransportMonitor for service monitoring; need only be allowed to POP3 servers.
|
| IMAP |
143 |
Yes |
No |
Yes |
No |
Used by ImapMonitor and MailTransportMonitor for service monitoring; need only be allowed to IMAP servers.
|
| HTTPS |
443 |
Yes |
Sometimes |
Yes |
Sometimes |
Used by HttpsMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is sometimes served on this port.
|
| RMI |
1099 |
Yes |
Yes |
Yes |
Yes |
Used by remote location pollers (which may run on servers or desktops throughout a network and on the Internet) to register themselves to the OpenNMS server; used by the Jsr160Collector (JMX) to connect to monitored Java application servers for performance data collection.
|
| RMI |
1199 |
No |
Yes |
Yes |
Yes |
Used by Remote Poller Backend for communications with running remote monitors, which may be located anywhere on the network.
|
| NSClient |
1248 |
Yes |
No |
Yes |
Yes |
Nagios agent. Sometimes used for performance data collection and service polling on managed Windows systems.
|
| OpenManage |
1311 |
Yes |
No |
Yes |
No |
Used to discover Dell OpenManage agent on managed nodes. Usually only discovered, not monitored.
|
| TDS/MSSQL |
1433 |
Yes |
No |
Yes |
No |
Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to MS SQL Server database servers.
|
| Oracle |
1521 |
Yes |
No |
Yes |
No |
Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to Oracle database servers.
|
| HPQIM |
2381 |
Yes |
No |
Yes |
No |
Used to discover HP Insight Manager agent on managed nodes. Usually only discovered, not monitored.
|
| Hyperic Agent |
2144 |
Yes |
No |
Yes |
No |
Used to detect the Hyperic management agent on managed systems. Typically needed only in environments using both OpenNMS and Hyperic HQ.
|
| MySQL |
3306 |
Yes |
No |
Yes |
No |
Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. Need only be allowed to MySQL database servers.
|
| PostgreSQL |
5432 |
Yes |
Sometimes |
Yes |
Yes |
Used by OpenNMS to communicate with its own database. Used by JdbcMonitor and JdbcStoredProcedureMonitor for service polling. May be used by external applications to query data from the OpenNMS database.
|
| NRPE |
5666 |
Yes |
No |
Yes |
Yes |
Nagios Remote Plugin Execution agent. Sometimes used by NrpeMonitor for service polling.
|
| EventD |
5817 |
Sometimes |
Sometimes |
Sometimes |
Yes |
OpenNMS' Eventd TCP listener binds to this port. In a single-node installation of OpenNMS, this traffic is normally confined to the loopback interface. In a multi-node installation or an environment with multiple single-node OpenNMS installations, on-network traffic on this port is used to transport events among OpenNMS servers. In some environments with custom integrations, certain external systems may need to connect to this port on the OpenNMS server.
|
| Hyperic HQ |
7080 |
Yes |
No |
Yes |
Yes |
Used to communicate with Hyperic HQ server, need only be allowed to HQ servers. Typically needed only in environments using both OpenNMS and Hyperic HQ.
|
| HTTP |
8000 |
Yes |
No |
Yes |
No |
Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form.
|
| HTTP |
8080 |
Yes |
No |
Yes |
Sometimes |
Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is served on this port (or port 8180) by default in releases prior to 1.3.7.
|
| HTTP |
8180 |
Yes |
No |
Sometimes |
Sometimes |
Default port for Tomcat on Debian and Ubuntu servers. Used by HttpMonitor and PageSequenceMonitor for service monitoring; sometimes used by Notifd for delivery of notifications via a web service or help-desk web form. The OpenNMS web UI is served on this port by default on Debian and Ubuntu systems in releases prior to 1.3.7.
|
| HTTPS |
8443 |
No |
Yes |
Yes |
Sometimes |
The OpenNMS web UI is sometimes served on this port via HTTPS.
|
| HTTP |
8980 |
No |
Yes |
Yes |
Yes |
The OpenNMS web UI is served on this port by default since release 1.3.7.
|
| NSClient++ |
12489 |
Yes |
No |
Yes |
Yes |
Nagios agent. Sometimes used for performance data collection and service polling on managed Windows systems.
|
ICMP Messages
| Description |
Type |
Outbound? |
Inbound? |
Stateful? |
Comments
|
| Echo request (ping) |
8 |
Yes |
Usually |
Yes |
Stateful rules should allow echo reply messages in reverse direction. It's a good idea to allow everyone to ping the OpenNMS server.
|
| Echo reply (pong) |
0 |
No |
Yes |
No |
Normally implicitly allowed by stateful rules for echo-request
|
| Destination unreachable |
3 |
Usually |
Yes |
N/A |
Allowing destination-unreachable messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.
|
| Source quench |
4 |
Usually |
Yes |
N/A |
Allowing source-quench messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.
|
| Time exceeded |
11 |
Usually |
Yes |
N/A |
Allowing time-exceeded messages from managed nodes to OpenNMS is important for performance of network operations. It's usually considered good form to pass these messages everywhere.
|
