3.2.2.6 Firewall Configuration

A default Oracle Linux install has the firewall enabled (iptables on). In order to use Oracle VM Manager on a system with iptables enabled you can either open all the ports used by Oracle VM Manager, or open all ports by disabling iptables.

To configure the firewall to open the required ports automatically, use the environment configuration script provided with the Oracle VM Manager installer. See Section 3.3.1, “Configuring the Environment Before Installation” for information on using this script.

The diagram and table below illustrate the firewall rules and requirements for Oracle VM.

This diagram illustrates the firewall rules in Oracle VM Manager. It shows a connection between the Oracle VM Manager Host and the Oracle VM Server Hosts marked 1. It shows a connection between the Oracle VM Server Hosts and the Oracle VM Manager Host marked 2. It shows a connection between a Client PC and the Oracle VM Manager Host marked 3. It shows a connection between a Client PC and the Oracle VM Server Hosts marked 4. It shows a connection between all of the Oracle VM Server Hosts marked 5. It shows Some Management Tools with a connection to the Oracle VM Manager Host marked 6.

Table 3.2 Firewall Rules

No.Component RelationshipPorts and DescriptionOptional

1

Oracle VM Manager to Oracle VM Server

  • TCP/8899 - HTTPS connection to the Oracle VM Agent.

  • TCP/6900-xxxx - SSL secured VNC connections to connect to the VNC Console for virtual machines running on each Oracle VM Server.

  • TCP/10000-xxxx - SSL secured port for telnet emulated serial connections to connect to the Serial Console for virtual machines running on each Oracle VM Server.

No

2

Oracle VM Server to Oracle VM Manager

  • TCP/7002 - HTTPS connection from Oracle VM Agent to the Oracle VM Core WSAPI.

  • UDP/123 - NTP requests to an NTP server running on the Oracle VM Manager host.

No

3

Client PC to Oracle VM Manager

  • TCP/7002 - HTTPS connection from web browser to Oracle VM Manager web user interface, or WSAPI.

  • TCP/10000 - SSH connection from SSH client to Oracle VM Manager CLI.

  • TCP/22 - SSH connection to Oracle VM Manager host for administrative work.

No, although access to services should be limited to requirements

4

Client PC to Oracle VM Server

  • TCP/22 - SSH connection to Dom0 on each Oracle VM Server for administrative work.

Yes

5

Oracle VM Server to Oracle VM Server

  • TCP/7777 - OCFS2/DLM heartbeat communication for clustered server pools.

  • TCP/8002 (x86 only)- non-encrypted port to perform live virtual machine migrations.

  • TCP/8003 (x86 only)- SSL-encrypted port to perform live virtual machine migrations.

  • TCP/8101 (SPARC only)- SSL-encrypted port to perform live virtual machine migrations.

  • TCP/6482 (SPARC only) - LDoms Manager XMPP port used to initiate live virtual machine migrations.

No

6

Some Management Tools to Oracle VM Manager

  • TCP/54322 - Access to the legacy API as required by some applications that have not yet been updated to use the WSAPI.

Yes


The following instructions explain how to resolve any firewall requirements manually, and assume that you have decided not to use the environment configuration script provided with the Oracle VM Manager installer.

Depending on your security requirements, do either:

  • Disable iptables and open all ports, enter the following commands as the root user: 

    # service iptables stop
# chkconfig iptables off

  • Alternatively, to open the required ports manually by using the iptables command as the root user: 

    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7002 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT

    To remotely connect to the Oracle VM Manager core legacy API using an alternate external client such as Oracle Enterprise Manager, also enter the following command: 

    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 54322 -j ACCEPT

    To enable the Oracle VM Manager Command Line Interface, enter the following command: 

    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT

    When all the ports have been opened, save the iptables configuration: 

    # service iptables save

    This does not require iptables to be restarted as the commands open the ports while iptables is running and the save ensures they are opened on reboot/restart in future.

Copyright © 2011, 2016 Oracle and/or its affiliates. All rights reserved. Legal Notices