Creating Firewall Rules for OpenLink Applications

Creating Firewall Rules for OpenLink Applications

Introduction

These days it is becoming more common to enable firewalls on internal networks as well as when dealing with the broader Internet.

In this document, we will describe how to set up firewall rules to open several default ports and special networks:

application protocol port(s) description internal or external network
oplmgr UDP 60001 Broadcast on 224.0.0.24/32 internal only
oplmgr TCP 60001 Downloading license statistics internal only
oplrqb TCP 5000 UDA Request Broker internal and external
*_sv and *_mv TCP 5000 – 5050 UDA Database Agents and Bridge Agents internal and external
www_sv TCP 8000 UDA Request Broker Admin Assistant internal and external
virtuoso TCP 1111 Virtuoso ODBC, JDBC, ADO.NET, OLE DB, and iSQL internal and external
virtuoso TCP 8890 Virtuoso HTTP endpoint internal and external

If your operating system is not mentioned in this document or you are having issues with the instructions provided, please contact our Support Department for assistance.

Amazon AMI

The firewall for Amazon AMIs is normally set up either in the AWS console for an individual AMI, or in a VPS description to set a policy for a group of servers.

In such cases, we only need to enter rules for the ports that should be enabled for external networks and for the applications we actually want to access from outside of the network. Thus, if your virtuoso installation only needs to accept connections from the Internet via the HTTP protocol, you would typically only open port 8890 for the default HTTP endpoint, or port 80 and/or 443 if you have created specific HTTP and/or HTTPS endpoints in Virtuoso.

In some cases, individual AMs can have their own firewall rules on top of the ones provided by the AWS console. In such cases, read the section for the specific OS later in this document.

Microsoft Azure

This is a similar to the Amazon AMI setup.

RedHat/Centos 5.x and 6.x

RedHat/Centos 7.x, Fedora 18 and newer

These operating system versions use the firewalld package.

The following command can be used to check if the package is installed and enabled:

$ sudo /bin/firewall-cmd --state
running

If firewall-cmd is not found or it returns not running, the firewall software is not enabled, and no further actions should be needed to run any of the OpenLink applications on your system.

The following commands are required for the oplmgr process.

First, enable multicast on IPv4 based networks –

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

If your network is IPv6-based –

$ sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

$ sudo firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

Ubuntu 16.04 and newer, Debian 9 and newer

These operating system versions use the Uncomplicated Firewall (UFW) software.

The following command can be used to check if this package is installed and enabled:

$ sudo /usr/sbin/ufw status
Status: active

If ufw is not found or it returns Status: inactive, the firewall software is not enabled, and no further actions should be needed to run any of the OpenLink applications on your system.

To enable the oplmgr program:

$ sudo ufw allow in proto udp from 224.0.0.24/32 port 60001

Microsoft Windows

Other operating systems

Many other operating systems also have specific applications to create firewall rules.

If you know the commands to use on an operating system not described above, please feel free to contact our Support Department with the details, and we will add your instructions to this document.