Ports to allow in firewall?

I have a Wazo 20.05 system working with all the bells and whistles I need.

Then I tried to configure the firewall to protect the system and found that the Web GUI would not authorize with proper credentials, even though I had allowed Ports 80 and 443 through to the server.

I use whitelisting to protect my server with iptables so if I have not explicitly allowed an IP address / Port combination in, it does not get in.

I ended up allowing every port listed in section 1.10.7 in the Wazo 20.01 admin guide and I can now connect using the Web GUI again, but I think I can probably cut back the open ports and make my system more secure.

So, does anyone know the minimum ports to allow so the system works and can be accessed via the Web GUI?

The ports I have currently allowed are:

5038 “wazo-AMI”
5672 “wazo-rabbitMQ”
8500 “wazo-consul-http”
8501 “wazo-consul-https”
8667 “wazo-provd”
9298 “wazo-call-logd”
9300 “wazo-webhookd”
9302 “wazo-setupd”
9304 “wazo-chatd”
9486 “wazo-confd”
9489 “wazo-dird”
9491 “wazo-amid”
9493 “wazo-agentd”
9497 “wazo-auth”
9498 “wazo-phoned”
9499 “wazo-phoned”
9500 “wazo-calld”
9502 “wazo-websocketd”
9503 “wazo-plugind”

I am sure some of these do not need to be allowed and, short of trying every permutation available (over 1 * 10 ^ 16 possible combinations), I was hoping someone actually knew.

Anyone?

Hello,

You don’t need and you don’t have to open this port. Just open https 443 if you need for the administration, the API and webrtc signalisation. If you need sip open 5060. RTP need to be also open.

Sylvain

I use Aastra devices and have them fetch their configuration via the Wazo Aastra plugin, so I assume that means I also need 8667 open

So in addition to 8667, I changed the firewall to allow - for Wazo - just 80,443,5060 and 10000:20000

Et voila, all is good

I think the issue I had is that I was testing the firewall and had not yet allowed loopback traffic, so the credential check failed and it needed a reboot to get back to normal.

I kept adding ports (before the reboot) but it did not help until I did a reboot for another reason and then it worked. But I figured I had more ports than needed and you were right. (Do you eve get tired of hearing that? :-))

Thanks for your fast feedback.

Yes, i forgot the provisioning port, you right.