Firewall Configuration

The typical firewall configuration of DataONE VMs uses UFW (Uncomplicated Firewall) to manage iptables firewall configuration.

Minimal configuration of ufw should include the following:

sudo ufw default deny
sudo ufw allow ssh
sudo ufw enable

which will allow SSH access to the machine and block everything else.

Suggested Member Node Firewall Configuration

Member nodes provide services over HTTP, with HTTPS required for Tier2 and higher Member Node implementations, and so require HTTP or HTTPS to be enabled respectively in addition to the base configuration suggested above:

sudo ufw allow http

or:

sudo ufw allow https

Member Node operators may need to add additional rules to support other services that may be operating on their installation.

Coordinating Node Firewall Configuration

Coordinating nodes should be configured to only allow HTTPS connections. Additional ports for LDAP (port 389) and Hazelcast communications will need to be open to specific targets (i.e. other Coordinating Nodes operating in the same environment).

For example, the three CNs cn-dev-unm-1.dataone.org, cn-dev-ucsb-1.dataone.org, and cn-dev-orc-1.dataone.org are all operating in the same development environment, and so must communicate with each other. The complete ufw configuration for a CN would be (IP-NODE-2, IP-NODE-3 = ip-addresses of the other two coordinating nodes):

sudo ufw default deny
sudo ufw allow ssh
sudo ufw allow https
sudo ufw allow from IP-NODE-2 to any port 389
sudo ufw allow from IP-NODE-3 to any port 389
sudo ufw allow from IP-NODE-2 to any port 5701
sudo ufw allow from IP-NODE-2 to any port 5702
sudo ufw allow from IP-NODE-3 to any port 5701
sudo ufw allow from IP-NODE-3 to any port 5702
sudo ufw enable