[[user-comments:evergreen-admin:security:firewall|User Comments]] ====== Security Considerations: Firewall ====== In general, we recommend reading more about networking from starting points like [[http://en.wikipedia.org/wiki/Network_port|Wikipedia]] and more authoritative sources on network security. ===== Incoming ports ===== Generally, there are about 4 zones you should have for your Evergreen system. These are as follows: - Localhost (stuff on the server, accessed only by the server) - Jabber server: This is the base messaging system of the OpenSRF network. If you are using the recommended Jabber server (eJabberd), access requires an authenticated username / password combination and is considered secure. The built-in Jabber server, "chop chop", performs no authentication, is insecure by definition, and should not be used in a production system. - **Single-server scenario**: For a single-server system which runs Jabber, PostgreSQL database, Apache web server, and the memcached server, there is no need for the Jabber server to listen to any services outside of ''localhost''. - **Multi-server scenario**: For a multi-server system which runs Jabber and the OpenSRF Router on one of several servers, only the Apache web server and any OpenSRF application servers requires access to the Jabber server. - Evergreen System Administrators (people who administer the bowels of the evergreen system) -The big consideration here is the HTTP directory of the web server. This contains the config bootstrap script. Although damaging things can't really be done (IE: everything likely has attachments, so they can't be deleted), a user can create a dozen new libraries with a few clicks. Nobody other than the IT/Evergreen Administration Staff should have access to this directory. - General Public (people who use the PAC) - The general public will need access to the web server (port 80) for the OPAC. - 443: SSL in the OPAC - Library Staff (People who use the staff client) - The staff client uses the same ports as the public interface, so ports 80 and 443 will need to be opened. ===== Outgoing ports ===== Note that these are ports on external servers to which your Evergreen server(s) might need to connect. As a reminder of [[http://en.wikipedia.org/wiki/Network_port|basic networking principles]], outgoing connections on the Evergreen server(s) are assigned to random ports - so when connecting to port 210 on zed.example.com, your Evergreen server might use local port 37080 to make the connection. - 25: SMTP-For E-mail notifications - 80: Web traffic (Syndicated content, Book Jackets, etc) - 210: Z3950 (OCLC, LC, etc). Note that while 210 is commonly used by Z39.50 servers, it's not the only one in use; for example, the LC Z39.50 server uses port 7090. Again: this list is just a start, and by all means incomplete.