Evergreen DokuWiki

User Tools

Site Tools

You are here: start » evergreen-admin » security » firewall
evergreen-admin:security:firewall

This is an old revision of the document!

User Comments

Security Considerations: Firewall

Note: this is from memory, and I'm sure I got some stuff messed up/missed some stuff. Pines Staff please verify/change as appropriate.

Generally, there are about 4 zones you should have for your Evergreen system. These are as follows:

  1. Localhost (stuff on the server, accessed only by the server)
    1. Jabber server: This is the base messaging system of the OpenSRF network. If you are using the recommended Jabber server (eJabberd), access requires an authenticated username / password combination and is considered secure. The built-in Jabber server, "chop chop", performs no authentication, is insecure by definition, and should not be used in a production system.
      1. Single-server scenario: For a single-server system which runs Jabber, PostgreSQL database, Apache web server, and the memcached server, there is no need for the Jabber server to listen to any services outside of localhost.
      2. Multi-server scenario: For a multi-server system which runs Jabber and the OpenSRF Router on one of several servers, only the Apache web server and any OpenSRF application servers requires access to the Jabber server.
  2. Evergreen System Administrators (people who administer the bowels of the evergreen system)
    1. The big consideration here is the HTTP directory of the web server. This contains the config bootstrap script. Although damaging things can't really be done (IE: everything likely has attachments, so they can't be deleted), a user can create a dozen new libraries with a few clicks. Nobody other than the IT/Evergreen Administration Staff should have access to this directory.
  3. General Public (people who use the PAC)
    1. The general public will need access to the web server (port 80) for the OPAC.
    2. 443: SSL in the OPAC
  4. Library Staff (People who use the staff client)
    1. The staff client uses the same ports as the public interface, so ports 80 and 443 will need to be opened.

Outgoing ports:

  1. 25: SMTP-For E-mail notifications
  2. 80: Web traffic (Syndicated content, Book Jackets, etc)
  3. 210: Z3950 (OCLC, LC, etc)

Again: this list is just a start, and by all means incomplete.

evergreen-admin/security/firewall.1191460382.txt.gz · Last modified: 2022/02/10 13:33 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

© 2008-2022 GPLS and others. Evergreen is open source software, freely licensed under GNU GPLv2 or later.
The Evergreen Project is a U.S. 501(c)3 non-profit organization.