1. Security Guide
  2. Secure Installation
  3. Securing ACSLS Internet Communication
  4. Configuring Firewalls Running on the ACSLS Server

Configuring Firewalls Running on the ACSLS Server

Besides external firewalls, firewall protection can be implemented on your ACSLS server through ipfilter on Solaris or iptables on Linux. This describes how to manage these firewalls running on your ACSLS server.

  • Managing ipfilter on Solaris:
    Consult the man pages for ipf and ipfilter for detailed information.
    • The ipfilter firewall is enabled (disabled) by 'root' using the command:
      svcadm enable ipfilter  (svcadm disable ipfilter)
    • To learn the current status of ipfilter:
      svcs ipfilter
    • Firewall policies are defined in the file: /etc/ipf/ipf.conf

      To allow free communication between components on the local host (e.g. between ACSLS and WebLogic or between the GUI and the ACSLS database), include a statement such as:

      pass in quick from 127.0.0.1 to 127.0.0.1

      or:

      pass in quick from 127.0.0.1 to all

      You must define policies that allow access to all of the ports that are needed for ACSLS. For example, to include a policy allowing remote Web-based browsers to access the ACSLS GUI, you need to open up ports 7001 and 7002.

      pass in quick from any to any port = 7001
pass in quick from any to any port = 7002

      After you discover which ports are used by ACSLS to listen for requests from ACSAPI clients, add 'pass in quick' statements for each of these ports.

      It may be necessary to include a 'pass in quick' statement for the RPC portmapper port, 111.

      The last statement in your proposed rule set, "block in from any", states that no traffic should reach the host unless specifically allowed in previous statements.

  • Managing iptables on Linux:
    • The iptables firewall is enabled (disabled) by 'root' using the command:
      service iptables start (service iptables stop)
    • To check the status of iptables:
      service iptables status
    • The policy file for iptables is /etc/sysconfig/iptables:

      You must define policies that allow access to all of the ports that are needed for ACSLS. For example, to include a policy that allows remote http/https access to the ACSLS GUI, you should update that file to include exceptions for ports 7001 and 7002 using statements like:

      -A input -p tcp --dport 7001 -j ACCEPT
-A input -p tcp --dport 7002 -j ACCEPT

      After you discover which ports are used by ACSLS to listen for requests from ACSAPI clients, you will need to add exceptions for each of these to the iptables policy file. It may be necessary to include an exception statement for the RPC portmapper port, 111.