Configure internal firewall
You can configure the StorageGRID firewall to control network access to specific ports on your StorageGRID nodes.
-
You are signed in to the Grid Manager using a supported web browser.
-
You have specific access permissions.
-
You have reviewed the information in Manage firewall controls and Networking guidelines.
-
If you want an Admin Node or Gateway Node to accept inbound traffic only on explicitly configured endpoints, you have defined the load balancer endpoints.
When changing the configuration of the Client Network, existing client connections might fail if load balancer endpoints have not been configured.
StorageGRID includes an internal firewall on each node that enables you to open or close some of the ports on the nodes of your grid. You can use the Firewall control tabs to open or close ports that are open by default on the Grid Network, Admin Network, and Client Network. You can also create a list of privileged IP addresses that can access grid ports that are closed. If you are using a Client Network, you can specify whether a node trusts inbound traffic from the Client Network, and you can configure the access of specific ports on the Client Network.
Limiting the number of ports open to IP addresses outside of your grid to only those that are absolutely necessary enhances the security of your grid. You use the settings on each of the three Firewall control tabs to ensure only the needed ports are open.
For more information about using firewall controls, including examples, see Manage firewall controls.
For more information about external firewalls and network security, see Control access at external firewall.
Access firewall controls
-
Select CONFIGURATION > Security > Firewall control.
The three tabs on this page are described in Manage firewall controls.
-
Select any tab to configure the firewall controls.
You can use these tabs in any order. The configurations you set on one tab don't limit what you can do on the other tabs; however, configuration changes you make on one tab might change the behavior of ports configured on other tabs.
Privileged address list
You use the Privileged address list tab to grant hosts access to ports that are closed by default or closed by settings on the Manage external access tab.
Privileged IP addresses and subnets don't have internal grid access by default. Also, load balancer endpoints and additional ports opened in the Privileged address list tab are accessible even if blocked in the Manage external access tab.
Settings on the Privileged address list tab can't override settings on the Untrusted Client Network tab. |
-
On the Privileged address list tab, enter the address or IP subnet you want to grant access to closed ports.
-
Optionally, select Add another IP address or subnet in CIDR notation to add additional privileged clients.
Add as few addresses as possible to the privileged list. -
Optionally, select Allow privileged IP addresses to access StorageGRID internal ports. See StorageGRID internal ports.
This option removes some protections for internal services. Leave it disabled if possible. -
Select Save.
Manage external access
When a port is closed in the Manage external access tab, the port can't be accessed by any non-grid IP address unless you add the IP address to the privileged address list. You can only close ports that are open by default, and you can only open ports that you have closed.
Settings on the Manage external access tab can't override settings on the Untrusted Client Network tab. For example, if a node is untrusted, port SSH/22 is blocked on the Client Network even if it is open on the Manage external access tab. Settings on the Untrusted Client Network tab override closed ports (such as 443, 8443, 9443) on the Client Network. |
-
Select Manage external access. The tab displays a table with all of the external ports (ports that are accessible by non-grid nodes by default) for the nodes in your grid.
-
Configure the ports you want open and closed using the following options:
-
Use the toggle beside each port to open or close the selected port.
-
Select Open all displayed ports to open all ports listed in the table.
-
Select Close all displayed ports to close all ports listed in the table.
If you close Grid Manager ports 443 or 8443, any users currently connected on a blocked port, including you, will lose access to Grid Manager unless their IP address has been added to the Privileged address list. Use the scroll bar on the right side of the table to be sure you have viewed all available ports. Use the search field to find the settings for any external port by entering a port number. You can enter a partial port number. For example, if you enter a 2, all ports that have the string "2" as part of their name are displayed.
-
-
Select Save
Untrusted Client Network
If the Client Network for a node is untrusted, the node only accepts inbound traffic on ports configured as load balancer endpoints and, optionally, additional ports you select on this tab. You can also use this tab to specify the default setting for new nodes added in an expansion.
Existing client connections might fail if load balancer endpoints have not been configured. |
The configuration changes you make on the Untrusted Client Network tab override the settings on the Manage external access tab.
-
Select Untrusted Client Network.
-
In the Set New Node Default section, specify what the default setting should be when new nodes are added to the grid in an expansion procedure.
-
Trusted (default): When a node is added in an expansion, its Client Network is trusted.
-
Untrusted: When a node is added in an expansion, its Client Network is untrusted.
As required, you can return to this tab to change the setting for a specific new node.
This setting does not affect the existing nodes in your StorageGRID system.
-
-
Use the following options to select the nodes that should allow client connections only on explicitly configured load balancer endpoints or additional selected ports:
-
Select Untrust on displayed nodes to add all nodes displayed in the table to the Untrusted Client Network list.
-
Select Trust on displayed nodes to remove all nodes displayed in the table from the Untrusted Client Network list.
-
Use the toggle beside each port to set the Client Network as Trusted or Untrusted for the selected node.
For example, you could select Untrust on displayed nodes to add all nodes to the Untrusted Client Network list and then use the toggle besides an individual node to add that single node to the Trusted Client Network list.
Use the scroll bar on the right side of the table to be sure you have viewed all available nodes. Use the search field to find the settings for any node by entering the node name. You can enter a partial name. For example, if you enter a GW, all nodes that have the string "GW" as part of their name are displayed.
-
-
Optionally, select any additional ports you want open on the untrusted Client Network. These ports can provide access to the Grid Manager, the Tenant Manager, or both.
For example, you might want to use this option to ensure that the Grid Manager can be accessed on the Client Network for maintenance purposes.
These additional ports are open on the Client Network, regardless of whether they are closed in the Manage external access tab. -
Select Save.
The new firewall settings are immediately applied and enforced. Existing client connections might fail if load balancer endpoints have not been configured.