Bonder firewall¶
Bonders come with a firewall that restricts traffic destined to them except under certain circumstances described below.
Bonding INPUT traffic¶
DHCP traffic on the connected IP interface, if enabled, IPv4 only
Accept UDP traffic on the connected IP interface, source port 68 and destination port 67
Accept TCP and UDP traffic on the connected IP interface and destination port 53
DHCPv6 traffic on UDP source port 546 and destination port 547, if enabled, IPv6 only
Accept traffic on the connected IP interface
Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP
Web server TCP traffic on destination port 80, if enabled
Accept traffic on connected IP interface and destined for the connected IP
TCP proxy traffic, if enabled
Accept TCP traffic on bond-specific transparent destination port
Tunnel traffic
Accept traffic on tunnel interface and sourced from the tunnel peer IP
UDP leg traffic
Accept UDP traffic on source port 547 and destination port 546 (IPv6 only)
Accept on the leg-specific UDP destination tunnel port and destined for the leg IP address
TCP configuration traffic on destination port 8003
Accept traffic on the management interface, sourced from the management server VPN IP and destined for the node management VPN IP (only IPv4)
Reject everything else on TCP destination port 8003
Other INPUT traffic¶
Accept any packets matching rules defined on the management server
Accept all traffic on eth0 that is sourced from 10.207.35.248/29 for local troubleshooting access
Accept all traffic on eth0 that is sourced from 192.168.1.0/24 for legacy local troubleshooting access
Accept all ICMP and ICMPv6 traffic
Accept all traffic from established/related connections
Reject everything else
Note
Nftables is exclusively used on nodes version 6.6 and higher, see Firewall management for more information
Note
More firewall customization options are available and documented here: