Security Considerations: Firewall
In general, we recommend reading more about networking from starting points like Wikipedia and more authoritative sources on network security.
Generally, there are about 4 zones you should have for your Evergreen system. These are as follows:
- Localhost (stuff on the server, accessed only by the server)
- Jabber server: This is the base messaging system of the OpenSRF network. If you are using the recommended Jabber server (eJabberd), access requires an authenticated username / password combination and is considered secure. The built-in Jabber server, "chop chop", performs no authentication, is insecure by definition, and should not be used in a production system.
- Single-server scenario: For a single-server system which runs Jabber, PostgreSQL database, Apache web server, and the memcached server, there is no need for the Jabber server to listen to any services outside of
- Multi-server scenario: For a multi-server system which runs Jabber and the OpenSRF Router on one of several servers, only the Apache web server and any OpenSRF application servers requires access to the Jabber server.
- Evergreen System Administrators (people who administer the bowels of the evergreen system)
- The big consideration here is the HTTP directory of the web server. This contains the config bootstrap script. Although damaging things can't really be done (IE: everything likely has attachments, so they can't be deleted), a user can create a dozen new libraries with a few clicks. Nobody other than the IT/Evergreen Administration Staff should have access to this directory.
- General Public (people who use the PAC)
- The general public will need access to the web server (port 80) for the OPAC.
- 443: SSL in the OPAC
- Library Staff (People who use the staff client)
- The staff client uses the same ports as the public interface, so ports 80 and 443 will need to be opened.
Note that these are ports on external servers to which your Evergreen server(s) might need to connect. As a reminder of basic networking principles, outgoing connections on the Evergreen server(s) are assigned to random ports - so when connecting to port 210 on zed.example.com, your Evergreen server might use local port 37080 to make the connection.
- 25: SMTP-For E-mail notifications
- 80: Web traffic (Syndicated content, Book Jackets, etc)
- 210: Z3950 (OCLC, LC, etc). Note that while 210 is commonly used by Z39.50 servers, it's not the only one in use; for example, the LC Z39.50 server uses port 7090.
Again: this list is just a start, and by all means incomplete.