I am trying to understand from a security perspective, what are the recommendations for Firewall settings for Bahmni. At minimum, I guess that Bahmni requires 80(http), 443(https), 8069(openerp) and 22(ssh) open for incoming connections. Can someone share what would be good production level settings for Bahmni to operate, so that people can CLOSE other incoming connections to Bahmni servers.
Just adding to the thread. These are all the ports used in Bahmni.
Thanks @aj.jaswanth. I guess these are the default ports for V0.81. And besides this, httpd runs on port 80/443. Do all these need incoming connections from outside the machine, or do someone of them only need access from “localhost”?
Also - I guess, if someone sends up a passive server (replication, etc), in that case they may need to open additional traffic just from the slave/replica machine.
From a end user perspective, only 443 (bahmni UI, openmrs, openelis), 8069 (openerp) needs to be exposed. In case of a slave db server, we need to allow 3306 (MySQL), 5432 (Postgres) only for the slave. We also have the ability to setup nagios monitoring. We need to allow ports for it also.
@preethi_s @vikash can provide more info on it.
From end-user’s perspective, the communication always happen through 443 port. For openerp as well, if a sub-domain is configured (i.e. openerp. e.g. openerp.mybahmni.org), then Apache redirects the request to 8069 port. All the ports mentioned by @gsluthra and @aj.jaswanth can be restricted to specific set of IPs internal to sub-systems of Bahmni.
If your server is hosted on the internet, allow just 443 port for all IPs. The rest of the ports needs to be configured to be accessible for internal sub-systems. For e.g. 1) if all the services are in a single machine, then none of the ports needs to be open.
If you are using AWS, you can configure it through Security Groups
From a CentOS IPTable perspective here is the script that ensure that every incoming traffic is denied, except SSH, Http, Https and port 8069 for OpenERP. It allows localhost to connect to ports open on its own machine (like DB connections, etc).
You are correct, that if Apache HTTPD is setup in a manner that it forwards maybe erp-bahmni.org domain to 8069, then the 8069 port won’t need to be opened for external world.
dcm4chee needs a port to be opened to listen to receive images. By default setup with Bahmni starts dcm4chee to listen on 11112 port. So that port will have to be added to firewall rules. Ideally dcm4chee should be setup on a separate machine and access images using dicom viewer which makes a https call, but in most of Bahmni implementations (resource-constrained) people might choose to deploy it on the same production machine.