Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1509458 - [RFE] Add example how to verify which network ports are open
Summary: [RFE] Add example how to verify which network ports are open
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Docs Install Guide
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: Unspecified
Assignee: csherrar
QA Contact: Stephen Wadeley
URL:
Whiteboard:
Depends On:
Blocks: 1542093
TreeView+ depends on / blocked
 
Reported: 2017-11-03 20:09 UTC by Jean Robertson
Modified: 2019-04-01 20:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-08 00:17:29 UTC


Attachments (Terms of Use)

Description Jean Robertson 2017-11-03 20:09:42 UTC
Document URL: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/single/installation_guide/

Sections Number and Name: 

- Section 2.6 "Enabling Connections from a Client to Satellite Server"
- Section 2.7 "Enabling Connections from Capsule Server to Satellite Server"
- Section 2.8 "Enabling Connections from Satellite Server and Clients to Capsule Server"

Describe the issue: 

In each of the above sections there are examples of how to open the firewall ports and or start the service. There also needs to be an example added that shows the user how to verify which ports are Listening. This will confirm that your network ports have been setup properly. 

Suggestions for improvement: 

For example the user can run the following netstat command on both rhel6 and rhel7 to list the network ports.

netstat -tanp | grep LISTEN

Output:
root@localhost ~]# netstat -tanp | grep LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      24261/sshd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1837/master         
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 :::80                   :::*                    LISTEN      1498/httpd          
tcp6       0      0 :::22                   :::*                    LISTEN      24261/sshd          
tcp6       0      0 ::1:25                  :::*                    LISTEN      1837/master         
tcp6       0      0 :::443                  :::*                    LISTEN      1498/httpd    


Additional information:

Comment 1 Stephen Wadeley 2017-11-06 08:46:47 UTC
Hello Jean

Thank you for raising this bug.

Unfortunately I cannot understand why this information is useful in the Installation Guide. For example, what would the user do with this information once they have it?


The developers write code which listens for communications on certain ports, but they tell us, Docs Team, which ports to open because some processes are communicating internally, so they "listen" but do not need a port to be opened.

We do proved more detailed port and communication info[1] for those that need to justify opening ports in network based firewalls, but in the guides we try to focus on procedures, getting things done.


[1]
Red Hat Satellite 6.2 List of Network Ports - Red Hat Customer Portal - https://access.redhat.com/solutions/2470641




Thank you

Comment 2 Jean Robertson 2017-11-06 13:11:19 UTC
Stephen,

The information I provided in this bug was an example of how the user can verify the firewall ports they changed, based on the instructions that are provided in the Installation documentation. We should be consistent through out the installation guide with examples of how to do something and then another example of how to verify the changes are correct.

I think the customer would appreciate having additional information that shows how to verify there configuration changes. If the firewall ports are not setup properly from the beginning this could cause a difficult trouble shooting effort on the users part.

It would be helpful to give one initial example of how to verify firewall port changes in this section.

Thanks.

Comment 3 Stephen Wadeley 2017-11-06 14:30:10 UTC
Hello Jean

The command you have given does not verify firewall changes, it shows what process are listening for communications on what ports. This "listening" is inside of the firewall.

To verify firewall settings:

On RHEL7:

firewall-cmd --list-all  

{I prefer `list-all` because the `--list-ports` option will not show a port open as a result of using the service command}.

On RHEL6:

iptables -L INPUT -n


For RHEL7 we can link to here for more info:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_firewalld#sec-Configuring_the_Firewall_using_firewall-cmd

RHEL6 is not supported for Sat6.3, but its in "2.8.9.2.6. Listing Options"

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/security_guide/#sect-Security_Guide-IPTables

Comment 4 Jean Robertson 2017-11-06 17:19:43 UTC
I'm ok with providing an example of 'firewall-cmd --list-all' in the Installation Guide, as well as provide the RHEL7 link for more detailed information.

Thanks.

Comment 5 Andrew Dahms 2017-12-05 13:06:58 UTC
Assigning to Clifton for review.

Comment 10 Andrew Dahms 2018-01-08 00:17:29 UTC
This content is live on the Customer Portal.

Closing.


Note You need to log in before you can comment on or make changes to this bug.