I am going to deploy a docker swarm (3 node: 1 manager 'frontend', 2 worker 'backend and db') with Security Groups for the VPC. I am planning to deny all inbound/outbound connection from the start.
The goal of deny all inbound connection
Simply put, inbound firewall rules protect the network against incoming traffic from the internet or other network segments -- namely, disallowed connections, malware and denial-of-service (DoS) attacks.
The goal of deny all outbound connection
Blocking outbound traffic is usually of benefit in limiting what an attacker can do once they've compromised a system on your network.
The current Security Groups rules
Inbound:
1. protocol tcp | port 22 | auth object ip address | description ssh
2. protocol tcp | port 80 | auth object 0.0.0.0/0 | description http
3. protocol tcp | port 443 | auth object 0.0.0.0/0 | description https
Outbound:
1. protocol udp | port 53 | auth object 0.0.0.0/0 | description dns lookup
2. protocol tcp | port 465 | auth object 0.0.0.0/0 | description smtp server
3. protocol tcp | port 587 | auth object 0.0.0.0/0 | description smtp relay service
4. protocol tcp | port 993 | auth object 0.0.0.0/0 | description imap server
This question popped up in my mind because one of the node is using CentOS and rely on chronyd (as Network Time Protocol client) which use protocol udp | port 123 to communicate to the NTP server. I decide to add it to the outbound Security Groups rules:
Outbound:
- protocol udp | port 123 | auth object 0.0.0.0/0 | description NTP server
netstat output
I use $ sudo netstat -antupc
to monitor connection, and I get SYN_SENT
state for AliYunDun
and aliyun-service
service and BLANK state for chronyd
service.
tcp 0 1 private ip address:34484 100.100.103.52:80 SYN_SENT 1912/AliYunDun
tcp 0 1 private ip address:47530 100.100.80.165:80 SYN_SENT 928/aliyun-service
udp6 0 0 ::1:323 :::* 666/chronyd
Which port should you left open for inbound and outbound connection for other Linux services to work properly?