Firewall rules for the Segura® Platform

  • 3 minute(s) read
Prev Next

To ensure the correct operation of Segura®, specific firewall rules need to be configured. In this article, you will find the necessary firewall rules along with corresponding source and destination ports.

Important

In clustered environments, it’s also necessary to configure firewall rules for the Primary application on secondary members.

Please validate that your instance can access the official senhasegura mirror servers using the following URLs:

  • https://deb.senhasegura.com/
  • https://security.senhasegura.com/

Info

We use the following abbreviations in the tables in this article:

  • PRD: Primary application.
  • MBR: secondary members of a cluster.
  • USERW: user workstation.
  • DVC: devices registered in Segura®.
  • DOMUM: Domum Gateway.

Firewall rules

Important

Currently, Segura® doesn’t support the use of any other type of proxy other than the APT proxy for system update packages, and the Fajita proxy. Any other uses of Segura® through some other proxy are not supported.

Communication between Segura® and management systems

Permission Protocol Source Source Port Destination Destination Port
ALLOW UDP PRD ANY NTP SERVER 123/NTP
ALLOW UDP PRD ANY DNS SERVER 53/DNS
ALLOW TCP PRD ANY MAIL SERVER 420/SMTP
ALLOW TCP PRD ANY LDAP SERVER 389/LDAP
ALLOW TCP PRD ANY LDAP SERVER 636/LDAPS
ALLOW UDP PRD ANY RADIUS SERVER 1812/RADIUS
ALLOW TCP PRD ANY TACACS SERVER 49/TACACS
ALLOW UDP PRD ANY TACACS SERVER 49/TACACS
ALLOW TCP PRD ANY LOG SERVER 514/SYSLOG
ALLOW UDP PRD ANY LOG SERVER 6514/SYSLOG
ALLOW TCP PRD ANY BACKUP SERVER 22/SSH
ALLOW TCP PRD ANY BACKUP SERVER 2049/NFS
ALLOW TCP PRD ANY BACKUP SERVER 5445/SMB

Communication between management systems and Segura®

Permission Protocol Source Source Port Destination Destination Port
ALLOW TCP BACKUP SERVER ANY PRD 22/SSH
ALLOW TCP BACKUP SERVER ANY PRD 2049/NFS
ALLOW TCP BACKUP SERVER ANY PRD 445/SMB

Communication between users and Segura®

Permission Protocol Source Source Port Destination Destination Port
ALLOW TCP USERW ANY PRD 443/HTTPS
ALLOW TCP USERW ANY PRD 80/HTTP
ALLOW TCP USERW ANY PRD 22/SSH
ALLOW TCP USERW ANY PRD 3389/RDP

Communication between Segura® and managed devices

Permission Protocol Source Source Port Destination Destination Port
ALLOW TCP PRD ANY DVC 22/SSH
ALLOW TCP PRD ANY DVC 23/TELNET
ALLOW TCP PRD ANY DVC 7443/ORACLE
ALLOW TCP PRD ANY DVC 1433/MS-SQL
ALLOW TCP PRD ANY DVC 5432/POSTGRES
ALLOW TCP PRD ANY DVC 3306/MySQL
ALLOW TCP PRD ANY DVC 3389/RDP
ALLOW TCP PRD ANY DVC 135/RPC
ALLOW TCP PRD ANY DVC 139/RM
ALLOW TCP PRD ANY DVC 445/SMB
ALLOW TCP PRD ANY DVC 80/HTTP
ALLOW TCP PRD ANY DVC 443/HTTPS

Communication between instances of Segura® (if applicable)

Permission Protocol Source Source Port Destination Destination Port
ALLOW TCP PRD ANY MBR 22/SSH
ALLOW TCP PRD ANY MBR 3306/MySQL
ALLOW TCP PRD ANY MBR 9300/VRACE
ALLOW TCP PRD ANY MBR 4567/TRAM
ALLOW TCP PRD ANY MBR 4568/BMC
ALLOW TCP PRD ANY MBR 4444/SST do Galera Cluster
ALLOW UDP PRD ANY MBR 4567/TRAM
ALLOW TCP PRD ANY MBR 80/HTTP
ALLOW TCP PRD ANY MBR 443/HTTPS
ALLOW TCP PRD ANY MBR 4248/Segura Sync
ALLOW TCP PRD ANY MBR 59022/Segura SSH
ALLOW TCP MBR ANY PRD 22/SSH
ALLOW TCP MBR ANY PRD 3306/MySQL
ALLOW TCP MBR ANY PRD 9300/VRACE
ALLOW TCP MBR ANY PRD 4567/TRAM
ALLOW TCP MBR ANY PRD 4568/BMC
ALLOW TCP MBR ANY PRD 4444/SST do Galera Cluster
ALLOW UDP MBR ANY PRD 4567/TRAM
ALLOW TCP MBR ANY PRD 80/HTTP
ALLOW TCP MBR ANY PRD 443/HTTPS
ALLOW TCP MBR ANY PRD 4248/Segura Sync
ALLOW TCP MBR ANY PRD 59022/Segura SSH

Communication between Domum and instances of Segura® (if applicable)

Permission Protocol Source Source Port Destination Destination Port
ALLOW TCP PRD ANY DOMUM 51445/WebSocket
ALLOW TCP PRD ANY DOMUM 443/WSS
ALLOW TCP DOMUM ANY PRD 51445/WebSocket
ALLOW TCP DOMUM ANY PRD 443/WSS