Creating Firewall Rules for OpenLink Applications

Creating Firewall Rules for OpenLink Applications

Introduction

These days it is more common to also enable firewalls on internal networks.

In this document we will describe how to setup firewall rules to enable the following default ports and special networks:

application protocol port(s) description network
oplmgr UDP 60001 Broadcast on 224.0.0.24/32 internal network only
oplmgr TCP 60001 Downloading license statistics internal network only
oplrqb TCP 5000-5050 Request broker connection internal and external
www_sv TCP 8000 OpenLink Admin Assistant (UDA) internal and external
virtuoso TCP 1111 Virtuoso ODBC/JDBC/ADO.NET and iSQL internal and external
virtuoso TCP 8890 Virtuoso Default HTTP endpoint internal and external

If your operating system is not mentioned in this document or you are having issues with the instructions provided, please contact our Support Department mailto:support@openlinksw.com for assistance.

Amazon AMI

The firewall for Amazon AMIs is normally setup in the AWS console either for an individual AMI, or using a VPS description to set a policy for a group of servers.

In such cases we only need to enter rules for the ports that should be enabled for external networks and for the applications we actually want to access from outside of the network. E.g. if your virtuoso installation only needs to be connected from the Internet via HTTP protocol, you would typically only open port 8890 in case of the default HTTP endpoint, or like port 80 and/or 443 if you have created specific endpoints in Virtuoso.

In some cases the individual AMs can have their own firewall rules on top of the ones provided by the AWS console. In such cases, read the section for the specific OS later in this document.

Microsoft Azure

This is a similar to the Amazon AMI setup.

RedHat/Centos 5.x and 6.x

RedHat/Centos 7.x, Fedora 18 and newer

These operating system versions use the firewalld package

The following command can be used to check if the package is installed and enabled:

    $ sudo /bin/firewall-cmd --state
    running

If the above program is not found or it returns not running , the firewall software is not enabled and no further actions should be needed to run any of the OpenLink applications on your system.

The following commands are required for the oplmgr process:

    # enable multicast on IPv4 based networks
    $ sudo firewall-cmd  --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
    $ sudo firewall-cmd  --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
    
    # and in case your network is IPv6 based
    $ sudo firewall-cmd  --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
    $ sudo firewall-cmd  --permanent --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

Ubuntu 16.04 and newer, Debian 9 and newer

These operating system versions use the Uncomplicated Firewall (UFW) software.

The following command can be used to check if this package is installed and enabled:

    $ sudo /usr/sbin/ufw status
    Status: active

If the above program is not found or it returns Status: inactive , the firewall software is not enabled and no further actions should be needed to run any of the OpenLink applications on your system.

To enable the oplmgr program:

    $ sudo ufw allow in proto udp from 224.0.0.24/32 port 60001

Microsoft Windows

Other operating systems

Many other operating systems also have specific applications to create firewall rules.

If you know what commands to use on an operating system currently not mentioned explicitly, please feel free to contact our Support Department mailto:support@openlinksw.com with the details and we will add your instructions to this document.