====================
Aggregator firewall
====================

Aggregators come with a firewall that restricts traffic destined to them
except under certain circumstances described below.

Bonding INPUT traffic
----------------------

1. Accept traffic on the management interface, sourced from the management
   server VPN IP and destined for the node management VPN IP

2. TCP proxy traffic, if enabled

  - Accept TCP traffic on bond-specific transparent destination port

3. Tunnel traffic

  - Accept traffic on tunnel interface and sourced from the tunnel peer IP

4. UDP leg traffic

  - Accept on the leg-specific UDP destination tunnel port and destined for the
    leg IP address

5. TCP configuration traffic on destination port 8003

  - Accept traffic on the management interface, sourced from the management
    server VPN IP and destined for the node 
    management VPN IP (only IPv4)
  - Reject everything else on TCP destination port 8003

6. Private WAN mesh traffic

  - Accept TCP traffic on destination port 8007
  - Accept TCP traffic on mesh veth interface and destination port 1179
  - Accept TCP traffic on agg/pwr GRE interfaces and destination ports 1179 or
    179
  - Accept ESP traffic
  - Accept GRE traffic

7. Accept TCP traffic on destination port 8005

Other INPUT traffic
--------------------

#. Accept any IP range that has been added to the "known_ips" list to be granted
   firewall access
#. Accept all traffic on eth0 that is sourced from 10.207.35.248/29 for local
   troubleshooting access
#. Accept all traffic on eth0 that is sourced from 192.168.1.0/24 for legacy
   local troubleshooting access
#. Accept all ICMP and ICMPv6 traffic
#. Accept all traffic from established/related connections
#. Reject everything else

.. note::

  More firewall customization options are available and documented here:

  - `Firewall management <../extending-bonded-internet/firewall-management.html>`__
  - `Example Salt state – custom firewall for space <../extending-bonded-internet/node-configuration-management-with-saltstack/example-salt-state-custom-firewall-for-space.html#>`__
