Difference between revisions of "Firewall Configuration"
m (→Blocking Network Share Access) |
m |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | '''NOTE: QuantaStor v4 ONLY, this documentation is no longer relevant as QuantaStor v5 has an integrated Firewall management system that is accessible via the QuantaStor web management interface on a system level (see Storage System Modify) and a port level (see Network Port Modify) | |
+ | ''' | ||
+ | For most deployments there is no need to add firewall rules to block the standard storage services like NFS, CIFS, iSCSI and by default QuantaStor appliances ''do not'' have firewalls blocking standard services. That said, for systems deployed with elevated security requirements or systems with ports that are facing public networks it is useful to block services that are not being used. The following sections outline how to block various storage services within QuantaStor using firewall rules. These options are available with QuantaStor 3.15.1 release or newer. | ||
+ | |||
+ | |||
+ | == Example how to re-enable Service Access == | ||
+ | To re-enable access to a specific service just remove the associated touch file and restart iptables. For example, to remove the firewall rules for access to NFS: | ||
+ | rm /etc/init.d/iptables.blocknfs | ||
+ | service iptables restart | ||
+ | |||
+ | == Blocking Web Management access via standard HTTP == | ||
+ | If you're not using standard HTTP port 80 for Web Management on your network you can block HTTP service access in preference of using the available HTTPS ports (443 and 8443) instead: | ||
+ | touch /etc/init.d/iptables.secure | ||
+ | service iptables restart | ||
+ | |||
+ | The 'qs-util disablehttp' command also performs this same change. | ||
== Blocking Network Share access via NFS == | == Blocking Network Share access via NFS == | ||
Line 16: | Line 31: | ||
touch /etc/init.d/iptables.blockiscsi | touch /etc/init.d/iptables.blockiscsi | ||
service iptables restart | service iptables restart | ||
+ | |||
+ | == Blocking GlusterFS Access == | ||
+ | If you're not using Gluster services, you can block access to it like so: | ||
+ | touch /etc/init.d/iptables.blockgluster | ||
+ | service iptables restart | ||
+ | Note that Gluster Volumes can be accessed via the GlusterFS client on Linux systems which does not require access to the NFS/CIFS services. In these cases you can enable firewall rules to block NFS/CIFS access but note that the firewalls apply to all Network Shares, not just Gluster Volumes. | ||
+ | |||
+ | [[Category:QuantaStor_Guide]] |
Latest revision as of 19:59, 6 August 2020
NOTE: QuantaStor v4 ONLY, this documentation is no longer relevant as QuantaStor v5 has an integrated Firewall management system that is accessible via the QuantaStor web management interface on a system level (see Storage System Modify) and a port level (see Network Port Modify)
For most deployments there is no need to add firewall rules to block the standard storage services like NFS, CIFS, iSCSI and by default QuantaStor appliances do not have firewalls blocking standard services. That said, for systems deployed with elevated security requirements or systems with ports that are facing public networks it is useful to block services that are not being used. The following sections outline how to block various storage services within QuantaStor using firewall rules. These options are available with QuantaStor 3.15.1 release or newer.
Contents
Example how to re-enable Service Access
To re-enable access to a specific service just remove the associated touch file and restart iptables. For example, to remove the firewall rules for access to NFS:
rm /etc/init.d/iptables.blocknfs service iptables restart
Blocking Web Management access via standard HTTP
If you're not using standard HTTP port 80 for Web Management on your network you can block HTTP service access in preference of using the available HTTPS ports (443 and 8443) instead:
touch /etc/init.d/iptables.secure service iptables restart
The 'qs-util disablehttp' command also performs this same change.
If you're not using Network Shares with NFS you can block NFS service access like so:
touch /etc/init.d/iptables.blocknfs service iptables restart
If you're not using Network Shares with CIFS/SMB Windows clients you can block SMB access to the Samba service access like so:
touch /etc/init.d/iptables.blocksmb service iptables restart
Blocking Storage Volume / iSCSI Access
If you're not using Storage Volumes via iSCSI you can block access to the iSCSI target service access like so:
touch /etc/init.d/iptables.blockiscsi service iptables restart
Blocking GlusterFS Access
If you're not using Gluster services, you can block access to it like so:
touch /etc/init.d/iptables.blockgluster service iptables restart
Note that Gluster Volumes can be accessed via the GlusterFS client on Linux systems which does not require access to the NFS/CIFS services. In these cases you can enable firewall rules to block NFS/CIFS access but note that the firewalls apply to all Network Shares, not just Gluster Volumes.