Firewall Requirements
Before you install and configure the Oracle Linux Virtualization Manager engine or any KVM hosts ensure you review the following firewall requirements.
Note:
Oracle Linux Virtualization Manager requires IPv6 to remain enabled on the computer or virtual machine where you are running the Manager. Do not disable IPv6 on the Manager machine, even if your systems do not use it.
Engine Host Firewall Requirements
When you run the engine-setup command to configure
Oracle Linux Virtualization Manager, you can have the Setup program automatically configure the firewall
ports on the host. Use the following information if you want to manually configure firewalls.
The following table shows the ports that are configured by default. The Setup program enables you to choose different ports for some of the configuration options, see Engine Configuration Options in the Oracle Linux Virtualization Manager: Getting Started Guide.
| Port | Protocol | Source | Destination | Purpose | Encrypted by default |
|---|---|---|---|---|---|
| Not applicable | ICMP | Oracle Linux KVM hosts | Manager host | (Optional) Diagnostics | No |
| 22 | TCP | External systems | Manager host | (Optional) SSH access to the Manager host for administration and maintenance | Yes |
| 80, 443 | TCP |
Administration Portal clients VM Portal clients Oracle Linux KVM hosts REST API clients |
Manager host | HTTP access to the Manager | Yes |
| 2222 | TCP | Clients | Manager host | SSH access to virtual machine serial consoles | Yes |
| 5432 | TCP,UDP |
Manager host Data Warehouse Service External systems |
Manager host |
(Optional) Connections to PostgreSQL database server Only required if the Engine database or the Data Warehouse database run on the Manager host |
No |
| 6100 | TCP |
Administration Portal clients VM Portal clients |
Manager host |
(Optional) WebSocket proxy access to the noVNC or HTML 5 virtual machine consoles Only required if the WebSocket proxy runs on the Manager host |
No |
| 7410 | UDP | Oracle Linux KVM hosts | Manager host |
(Optional) Kdump notifications Only required if Kdump is enabled |
No |
| 54323 | TCP | Administration Portal clients | Manager host |
Image I/O Proxy access to upload images Only required if the Image I/O Proxy runs on the Manager host |
Yes |
Remote Component Firewall Requirements
Some Oracle Linux Virtualization Manager components can run on separate remote hosts. Refer to the following table for information to help you configure the firewall on remote hosts.
| Port | Protocol | Source | Destination | Purpose | Encrypted by default |
|---|---|---|---|---|---|
| 5432 | TCP,UDP |
Manager host Data Warehouse Service External systems |
PostgreSQL database server |
Connections to PostgreSQL database server Required if the Engine database or the Data Warehouse database run on a remote host |
No |
| 6100 | TCP |
Administration Portal clients VM Portal clients |
WebSocket proxy host |
WebSocket proxy access to the noVNC or HTML 5 virtual machine consoles Required if the WebSocket proxy runs on a remote host |
No |
KVM Host Firewall Requirements
When you add an Oracle Linux KVM host to Oracle Linux Virtualization Manager, the existing firewall configuration on the host is overwritten and the required firewall ports are configured automatically.
To disable automatic firewall configuration when adding a KVM host, clear the Automatically configure host firewall check box under Advanced Parameters. Then, refer to the following table for information to help you manually configure the firewall.
| Port | Protocol | Source | Destination | Purpose | Encrypted by default |
|---|---|---|---|---|---|
| 22 | TCP | Manager host | KVM hosts | (Optional) SSH access to KVM hosts | Yes |
| 111 | TCP | NFS storage server | KVM hosts |
(Optional) NFS connections Only required if you use NFS storage |
No |
| 161 | UDP | KVM hosts | Manager host |
(Optional) Simple network management protocol (SNMP) Only required if you want to send SNMP traps to external SNMP managers |
No |
| 2223 | TCP | Manager host | KVM hosts | SSH access to virtual machine serial consoles | Yes |
| 5900 to 6923 | TCP |
Administration Portal clients VM Portal clients |
KVM hosts | Access to virtual machine consoles using VNC or RDP protocols | Yes |
| 5989 | TCP,UDP | Common Information Model Object Manager (CIMOM) | KVM hosts |
(Optional) CIMOM connections Only required if you use CIMOM to monitor virtual machines running on the host |
No |
| 6081 | UDP | KVM hosts | KVM hosts |
(Optional) Open Virtual Network (OVN) connections Only required if the OVN network provider is enabled |
No |
| 16514 | TCP | KVM hosts | KVM hosts | Virtual machine migration using libvirt
|
Yes |
| 49152 to 49216 | TCP | KVM hosts | KVM hosts | Automated and manual virtual machine migration and fencing using VDSM | Yes |
| 54321 | TCP |
Manager host KVM hosts |
KVM hosts | VDSM communication with the Oracle Linux Virtualization Manager and other KVM hosts | Yes |
| 54322 | TCP |
Manager host Image I/O Proxy host |
KVM hosts |
Communication with the Image I/O Proxy to upload images Only required if the Image I/O Proxy runs on the Manager host or a separate host |
Yes |