FreeIPA firewall considerations FreeIPA components ------------------ [A] Identity Management framework: Apache-based web-service and routes to other services [B] LDAP directory server: 389-ds instance [C] Kerberos Key Distribution Center: krb5kdc [D] Kerberos Administrator daemon: kadmind [E] Custodia key management custodia [F] SSSD sssd [G] MS-KKDCP proxy Proxy access to Kerberos over HTTPS [H] Certificate Authority: dogtag instance on top of Tomcat [I] DNS server named [J] Active Directory integration Samba services (smbd, winbindd) [K] Certificate Authority Vault: KRA component of dogtag instance Services [A]-[G] are deployed on all IPA masters Services [H]-[K] are optional, they can be deployed on some IPA masters Most of FreeIPA servers listen on TCP6 or UDP6 on all network interfaces. This allows to implement double stack (TCP/TCP6 or UDP/UDP6) with the same code base and is recommended for contemporary networking applications. Externally accessible services ------------------------------ Identity Management framework [A] exposes set of JSON-RPC interfaces over HTTPS port 443 (TCP/TCP6) It also exposes access to services of [E], [G], and [H] as a proxy over HTTPS port 443 (TCP/TCP6) For CRL and CA certificate retrieval purposes there is access to HTTP port 80 (TCP/TCP6) Optionally, during FreeIPA master deployment, a redirect rule can be activated that turns all other access to HTTP service on port 80 into redirects to HTTPS service on port 443. Access to LDAP services [B] is allowed over following ports: * port 389 (TCP/TCP6), normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection * port 636 (TCP/TCP6), normal LDAP traffic over SSL * port 389 (UDP), a so-called Connectionless LDAP access to facilitate integration with Active Directory services (part of [J]) Access to Kerberos services [C] and [D] is allowed over following ports: * port 88 (TCP/TCP6 and UDP/UDP6), normal Kerberos traffic * port 464 (TCP/TCP6 and UDP/UDP6), Kerberos password change protocol access * port 749 (TCP/TCP6), Kerberos remote administration protocol Access to Custodia key management services [E] is provided over HTTPS port 443 (TCP/TCP6) as part of [A] Service SSSD [F] is a client-only service, it does not listen on TCP/TCP6 or UDP/UDP6 ports. SSSD does connection to a variety of services during its operation. Its behavior is described in a separate section. Access to Kerberos proxy services [G] using MS-KKDCP protocol is allowed over HTTPS port 443 (TCP/TCP6) as part of [A] Access to Certificate Authority services [H] and [K] is allowed over HTTPS port 443 (TCP/TCP6) as part of [A] and over the following ports for the functionality not exposed within [A]: * HTTP access over port 8080 (TCP/TCP6), for OCSP responder and certificate status * HTTPS access over port 8443 (TCP/TCP6), for CA administration purposes * Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses. Access to DNS service [I] is allowed over the following ports: * port 53 (TCP/TCP6 and UDP/UDP6), standard DNS resolver * port 953 (TCP/TCP6), BIND service remote control on 127.0.0.1 and ::1 local interface addresses Access to Active Directory integration services is allowed over the following ports: * port 135 (TCP/TCP6), DCE RPC end-point mapper (smbd daemon) * port 138 (TCP/TCP6), NetBIOS Datagram service (optional, requires nmbd daemon to run) * port 139 (TCP/TCP6), NetBIOS Session service (smbd daemon) * port 445 (TCP/TCP6), SMB protocol over TCP/TCP6 (smbd daemon) * dynamically opened ports 49152-65535 (TCP/TCP6) for DCE RPC end-point services Communication patterns and data flows ------------------------------------- FreeIPA installation tools -------------------------- Client installation tool, `ipa-client-install', performs following requests: * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] * JSON-RPC calls to discovered or configured FreeIPA masters using HTTPS protocol to [A] * LDAP protocol operations over TCP/TCP6 to port 389 using SASL GSSAPI authentication and/or plain LDAP. * (optional) Network time protocol (NTP) discovery and resolution to synchronize time between the client system and FreeIPA masters FreeIPA replica installation tool, `ipa-replica-install', performs following requests: * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] * JSON-RPC calls to discovered or configured FreeIPA masters using HTTPS protocol to [A] * LDAP protocol operations over TCP/TCP6 to port 389 using SASL GSSAPI authentication and/or plain LDAP. * (optionally) LDAPS protocol operations over TCP/TCP6 to port 636 when replica is being deployed using domain level 0 Integration to Active Directory requires following operations: * From an IPA trust controller towards Active Directory Domain Controllers: * DNS resolution, using standard DNS protocol against the DNS resolvers configured on an IPA trust controller * Requests to UDP/UDP6 port 389 using Connectionless LDAP (CLDAP) protocol to perform AD DC discovery * Requests to TCP/TCP6 ports 389 and 3268 using LDAP protocol to query Active Directory user and group information * Requests to TCP/TCP6 ports 135, 139, 445 using DCE RPC and SMB protocols to set up and support cross-forest trust to Active Directory * Requests to dynamically opened ports as directed by an Active Directory domain controller in response to requests to DCE RPC End-point mapper (port 135 TCP/TCP6). Opened ports on AD DC side are likely in the range of 49152-65535 (TCP/TCP6) * Kerberos protocol operations similar to [C] but against AD DCs(*) * From an Active Directory Domain Controllers towards IPA masters: * DNS resolution, using standard DNS protocol against the DNS resolvers configured on an Active Directory Domain Controller * Requests to UDP/UDP6 port 389 using Connectionless LDAP (CLDAP) protocol to perform IPA trust agent discovery * Requests to TCP/TCP6 ports 135, 139, 445 using DCE RPC and SMB protocols to verify cross-forest trust to Active Directory * Requests to dynamically opened ports as directed by an IPA trust controller in response to requests to DCE RPC End-point mapper (port 135 TCP/TCP6). Opened ports on the IPA trust controller side are likely in the range of 49152-65535 (TCP/TCP6) * Kerberos protocol operations similar to [C] (*) Currently MIT Kerberos implementation is unable to stick to a single AD DC when performing Kerberos protocol operations. Chosen AD DC will depend on details of a Kerberos configuration. In most common case DNS service-based discovery would be performed. For operations initiated by SSSD, SSSD is able to choose and stick to site-specific AD DCs. SSSD also writes down chosen AD DCs in a configuration which is picked up by MIT Kerberos KDC locator plugin, thus making these DCs available to other Kerberos applications as preferred ones. Client side of Identity Management Framework -------------------------------------------- Client side of Identity Management Framework is implemented with two different applications: * 'ipa' command line utility * browser-based web UI Command line utility, `ipa' tool, performs following operations * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] * JSON-RPC calls to discovered or configured FreeIPA masters using HTTPS protocol to [A] Browser-based web UI performs its operations against a choosen FreeIPA master using HTTPS protocol to [A]. SSSD communication ------------------ SSSD service [F] can be configured to communicate with multiple servers. Following communication patterns are common: * SSSD on IPA clients talking to IPA servers * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] and Active Directory domain controllers * LDAP protocol operations over TCP/TCP6 to port 389 using SASL GSSAPI authentication and/or plain LDAP to IPA servers * (optionally) In case of smart-card authentication, to OCSP responder, if configured. This often is done via HTTP protocol to port 80 but depends on the actual value of OCSP responder URL in a client certificate * SSSD on IPA trust agents talking to Active Directory Domain Controllers * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] and Active Directory domain controllers * Requests to TCP/TCP6 ports 389 and 3268 using LDAP protocol to query Active Directory user and group information * (optionally) In case of smart-card authentication, to OCSP responder, if configured. This often is done via HTTP protocol to port 80 but depends on the actual value of OCSP responder URL in a client certificate * Kerberos authentication always happens against a source of truth. For AD users it means Kerberos authentication will be done against AD DCs unless MS-KKDCP proxy use is enforced via configuration on the IPA clients that force use of IPA trust agents' MS-KKDCP proxy instead. In that case, IPA trust agents need to be configured to pass through Kerberos traffic to AD DCs. Certmonger communication ------------------------ Certmonger is a daemon running on IPA masters and IPA clients to allow timely renewal of SSL certificates associated with the services on the machines. Certmonger can communicate with multiple parties: * DNS resolution, using standard DNS protocol against the DNS resolvers configured on a client system * Kerberos protocol operations to [C] * JSON-RPC calls to discovered or configured FreeIPA masters using HTTPS protocol to [A] to request new certificates * HTTP access over port 8080 (TCP/TCP6), for OCSP responder and certificate status on IPA masters * (optionally) HTTPS access over port 8443 (TCP/TCP6), for CA administration purposes on IPA masters as part of IPA master and replica installation process.