IBM DataPower Operations Dashboard v1.0.11.0
A newer version of this product documentation is available.
You are viewing an older version. View latest at IBM DPOD Documentation.
Internal Firewall
- Copy Page Tree
- Former user (Deleted)
DPOD appliances use embedded host based firewall (Linux Iptables). All inbound and outbound communication is blocked with the following exceptions required for the DPOD product.
The communication rules are detailed in the Firewall Requirements topic.
The system administrator may choose to allow additional communication. The DPOD appliance includes a shell script for altering the firewall rules.
Display current firewall rules
Use the following built-in command to display DPOD's default firewall state
iptables -L
The output is :
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpts:60000:60009 ACCEPT tcp -- anywhere anywhere tcp dpts:60020:60029 ACCEPT tcp -- anywhere anywhere tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:5550 ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:domain CCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:ldap ACCEPT tcp -- anywhere anywhere tcp dpt:ldaps ACCEPT tcp -- anywhere anywhere tcp dpt:msft-gc ACCEPT tcp -- anywhere anywhere tcp dpt:msft-gc-ssl
It is recommended to alter this rules using DPOD firewall update tool in order to limit access only to allowed IPs. (e.g. replace the rule that allows every IP to connect to DPOD using tcp port 60000 (syslog) to specific monitored device IP address / monitored device subnet ).