Access control list for Foreman-Katello - ports


I need our Foreman-Katello server to be able to access some different VLAN’s within our company. The network team is asking me what ports need to be opened up from the Linux hosts to the Foreman-Katello server and vice versa, I looked around and didn’t see a list of what is needed for connectivity between foreman-katello and linux end point hosts. Is there an access list somewhere.

Thanking you in advance.

Hey @lbetson,

You can look at the foreman documentation around ports and the katello port documentation. Let me know if that doesn’t answer your questions!

So I see the ports now, thank you very much. Our firewall engineer is asking in what direction do the these ports need to be opened, bi-directional, uni-directional, etc. Thanking you in advance.

It depends. Some are incoming, some are outgoing. Most of them depend on your setup. For example, port 5432 (outgoing) is only needed if you have an external database. A local database uses a unix socket. A DNS server (incoming) is only needed if you actually run a DNS server.

All those listed on Foreman’s docs are incoming except the databases (which are (optionally) outgoing). Note that in the Katello scenario port 8443 is used by candlepin instead of the Smart Proxy. That moved to port 9090. Again, those listed are all incoming. I’m not sure which outgoing ports are used since I typically don’t firewall those on my personal setups.

This would be for katello agent hosts, for lack of a better term to the foreman server itself.

I guess I could tell them to open up the ports bi-bidirectionally but I’m not so sure they are going to be happy with that.

Would it be safe to assume that the hosts that have a katello agent installed on them, that the firewall team should open up these ports on the firewall from the katello clients to the foreman host?

  • 80 TCP - HTTP
  • 443 TCP - HTTPS
  • 5647 TCP - qdrouterd
  • 9090 TCP - HTTPS

AFAIK clients don’t talk to port 9090. It’s needed for Foreman + Katello -> standalone proxy (foreman-proxy-content scenario).

Okay thanks for that. For obvious reasons our firewall team wants to know who is initiating the connection and in what direction. I get it, the Foreman host and the Linux content hosts (clients), are behind a Cisco firewall. And so the firewall team needs to create an access control list.

If any one can help me be more specific, so I am not having my firewall team get mad at me for jumping through hoops, that would be great.