Configuring Additional Components

Firewall

All of our installers display a message with an example firewall configuration at the end. This example is not recommended for production environments, only for testing.

For a test environment, it's sufficient to allow access on the port from anywhere. For example, to allow access to OpenSearch-Dashboards, enter the following command as the root user:

firewall-cmd --add-port=5601/tcp

This rule will be active until the firewalld service or the OS is restarted. To make the rule permanent, modify the command:

firewall-cmd --permanent --zone=public --add-port=5601/tcp
firewall-cmd --reload

You can create a service in firewalld terminology, but in practice, it's not very convenient to use it for SAF.

For production environments, we recommend creating a separate zone in firewalld terminology and creating a rule within it to allow the necessary ports. The access filter to the zone can be a collection of IP addresses (ipset) or an interface if it is located entirely within a trusted zone.

If you use iptables instead of firewalld in your environment (assuming you have firewalld disabled), the following command will suffice for a test environment:

iptables -A INPUT -s 0.0.0.0/0 -p TCP --dport 5601 -j ACCEPT

This command will open port 5601/tcp for everyone, but the rule will be added to the end of the list. If a deny rule is used at the end, it's better to add the rule to the beginning (in the example, we add it instead of the first line):

iptables -I INPUT 1 -s 0.0.0.0/0 -p TCP --dport 5601 -j ACCEPT