Hello,
I am trying to close all ports on the server except 80, 443, 500/udp and 4500/udp. To do that I am using ufw on both ubuntu server and agent/host. However, after enabling ufw both server and agent can’t communicate with each other. Host is shown disconnected on rancher server when I access it at Rancher-server-ip:8080.
They work fine if ufw is disabled. Is there any other ports that is required to be opened in order to allow rancher agent communicate with rancher server?
Here is the ufw rules of rancher server:
To Action From
-- ------ ----
8080/tcp ALLOW Anywhere
22 ALLOW Anywhere
4789/udp ALLOW Anywhere
500/udp ALLOW Anywhere
4500/udp ALLOW Anywhere
8080/tcp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
4789/udp (v6) ALLOW Anywhere (v6)
500/udp (v6) ALLOW Anywhere (v6)
4500/udp (v6) ALLOW Anywhere (v6)
Ufw rule of rancher host/agent:
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
22 ALLOW Anywhere
4789/udp ALLOW Anywhere
500/udp ALLOW Anywhere
4500/udp ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
4789/udp (v6) ALLOW Anywhere (v6)
500/udp (v6) ALLOW Anywhere (v6)
4500/udp (v6) ALLOW Anywhere (v6)
The agent on the host opens the connection to the server for that host to be managed. So the hosts need to allow outbound to Rancher-server-ip:8080.
There are various other things that are going to be broken at the level of blocking outbound connections… machine driver communication with the clouds, update the catalog, most of the auth providers, etc.
And 4789 is VXLAN so you don’t need that if you’re doing IPSec (500+4500).
1 Like
Ok, so I need to open port 8080 for rancher-server IP for outbound traffic from host to rancher server. And it should work? That makes sense as host won’t be able to communicate to rancher server api if port 8080 is blocked.
Yes, I know port 4789 is for VXLAN. It was just an desperate attempt to fix this issue.
I will open port 8080 and see what happens.
I appreciate one organisations security posture often differs from another, but in many cases we tend to only lock down on the ingress side and leave the egress relatively open. There are occasions where we want to do both but most of the time it’s unnecessary … YMMV (and your CISO may have a different view, as they so often do 
)
Yes, I agree. I do have very similar setup for most of the rancher hosts, but this particular host need to have its egress locked down because of the nature of service it holds. It is an isolated environment, which required limited access.
Rancher’s infra service network-manager creates a bunch of iptables chains (CATTLE_*) and expects them to be in a certain order. Enabling ufw or other firewall services interfere with this and reorders the rules causing undesired problems.
I didn’t experience any issues or conflicts between rancher/docker iptables rules and ufw rules.
After opening the ports on ufw, everything is working normally.