01-09-2017 01:25 PM - edited 01-09-2017 02:28 PM
I have one grid member that is opened to the world so I am going to set up an outbound router ACL for the MGMT, LAN1 and LAN2 ports.
I've researched this and come up with the port list below. Am I missing anything?
Allow from "grid master" UDP 2114 Auth needed to join grid Allow from "grid master" UDP 1194 VPN for grid communications Allow from any TCP 53 DNS grid master and DNS clients Allow from any UDP 53 DNS grid master and DNS clients Allow from "internal network" TCP 22 SSH access to grid member Allow from any UDP 123 Allow any NTP clients
Logging: Since this is an outbound ACL (from the router interface perspective), I shouldn't have to do anything since we're using UDP 514 for this particular member.
Reporting: Grid members talk to reporting appliance on TCP 9997 so I will need to allow return traffic.
04-24-2017 11:43 AM
All internal comunication should be via MGMT port (Grid, Syslog, Reporting).
LAN1,LAN2 only for DNS. I'm not sure if you really need to open NTP to the world.
09-19-2018 07:42 AM
I am trying to secure our Infoblox environment also. I am wondering if these settnigs worked for you. My questions are on your TCP/UDP 53 and NTP 123.
My understanding is the response for DNS goes on 53 and can come back on any randum port. I may be wrong, so blocing others except 53 worked for you?
Opening NTP 123 to any(world) doesn't cause issue ? I am planning to block NTP to world. Am I wrong on this?