What ports require to be open in firewall for Bahmni?

gsluthra · May 16, 2016, 4:42am

I am trying to understand from a security perspective, what are the recommendations for Firewall settings for Bahmni. At minimum, I guess that Bahmni requires 80(http), 443(https), 8069(openerp) and 22(ssh) open for incoming connections. Can someone share what would be good production level settings for Bahmni to operate, so that people can CLOSE other incoming connections to Bahmni servers.

ajjaswanth · May 16, 2016, 4:48am

Just adding to the thread. These are all the ports used in Bahmni.

openmrs_port: 8050
bahmni_reports_port: 8051
bahmni_lab_port: 8052
bahmni_erp_connect_port: 8053
pacs_integration_port: 8054
openerp_port: 8069
dchm4chee_ports: 8055, 8056
event_log_service_port: 8057

gsluthra · May 16, 2016, 4:52am

Thanks @aj.jaswanth. I guess these are the default ports for V0.81. And besides this, httpd runs on port 80/443. Do all these need incoming connections from outside the machine, or do someone of them only need access from “localhost”?

Also - I guess, if someone sends up a passive server (replication, etc), in that case they may need to open additional traffic just from the slave/replica machine.

Please confirm.

ajjaswanth · May 16, 2016, 5:30am

From a end user perspective, only 443 (bahmni UI, openmrs, openelis), 8069 (openerp) needs to be exposed. In case of a slave db server, we need to allow 3306 (MySQL), 5432 (Postgres) only for the slave. We also have the ability to setup nagios monitoring. We need to allow ports for it also.

@preethi_s @vikash can provide more info on it.

bharatak · May 16, 2016, 8:20am

From end-user’s perspective, the communication always happen through 443 port. For openerp as well, if a sub-domain is configured (i.e. openerp. e.g. openerp.mybahmni.org), then Apache redirects the request to 8069 port. All the ports mentioned by @gsluthra and @aj.jaswanth can be restricted to specific set of IPs internal to sub-systems of Bahmni.

If your server is hosted on the internet, allow just 443 port for all IPs. The rest of the ports needs to be configured to be accessible for internal sub-systems. For e.g. 1) if all the services are in a single machine, then none of the ports needs to be open.

If you are using AWS, you can configure it through Security Groups

gsluthra · May 16, 2016, 1:51pm

From a CentOS IPTable perspective here is the script that ensure that every incoming traffic is denied, except SSH, Http, Https and port 8069 for OpenERP. It allows localhost to connect to ports open on its own machine (like DB connections, etc).

gist.github.com

https://gist.github.com/gsluthra/2e63e665919188f51640f67effa27603

setup-bahmni-firewall.sh

# Refer to this link to understand below rules: https://wiki.centos.org/HowTos/Network/IPTables

# Set default input policy to ACCEPT
iptables -P INPUT ACCEPT

# Flush all current rules!
iptables -F

# Allow localhost interface
iptables -A INPUT -i lo -j ACCEPT

This file has been truncated. show original

You are correct, that if Apache HTTPD is setup in a manner that it forwards maybe erp-bahmni.org domain to 8069, then the 8069 port won’t need to be opened for external world.

arjun · August 16, 2016, 10:40am

dcm4chee needs a port to be opened to listen to receive images. By default setup with Bahmni starts dcm4chee to listen on 11112 port. So that port will have to be added to firewall rules. Ideally dcm4chee should be setup on a separate machine and access images using dicom viewer which makes a https call, but in most of Bahmni implementations (resource-constrained) people might choose to deploy it on the same production machine.