Aggregator firewall

Aggregators come with a firewall that restricts traffic destined to them except under certain circumstances described below.

Bonding INPUT traffic

1. Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP
2. TCP proxy traffic, if enabled

• Accept TCP traffic on bond-specific transparent destination port

3. Tunnel traffic

• Accept traffic on tunnel interface and sourced from the tunnel peer IP

4. UDP leg traffic

• Accept on the leg-specific UDP destination tunnel port and destined for the leg IP address

5. TCP configuration traffic on destination port 8003

• Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP (only IPv4)
• Reject everything else on TCP destination port 8003

6. Private WAN mesh traffic

• Accept TCP traffic on destination port 8007
• Accept TCP traffic on mesh veth interface and destination port 1179
• Accept TCP traffic on agg/pwr GRE interfaces and destination ports 1179 or 179
• Accept ESP traffic
• Accept GRE traffic

7. Accept TCP traffic on destination port 8005

Other INPUT traffic

1. Accept any IP range that has been added to the “known_ips” list to be granted firewall access
2. Accept all traffic on eth0 that is sourced from 10.207.35.248/29 for local troubleshooting access
3. Accept all traffic on eth0 that is sourced from 192.168.1.0/24 for legacy local troubleshooting access
4. Accept all ICMP and ICMPv6 traffic
5. Accept all traffic from established/related connections
6. Reject everything else

Note

More firewall customization options are available and documented here:

• Firewall management
• Example Salt state – custom firewall for space