The OneFS host-based firewall is composed of firewall rules and policies. A firewall rule is used to specify a matching criterion for IP packets and an associated action. The matching criteria for a rule can be the following:
The associated actions for the matching criteria of a rule are the following:
A firewall policy can contain multiple firewall rules. The rules are matched by index in ascending order. While each firewall rule has an associated action, the policy has a user-defined default action, if none of the firewall rules apply. The firewall policy default action may be deny, reject, or allow an IP packet from any to any. A firewall policy is assigned to a network pool and subnet, as shown in the following figure.
By default, OneFS has a Default Pools Policy (default_pools_policy) and a Default Subnets Policy (default_subnets_policy), as shown in the following figure. The Default Pools Policy enforces the port numbers and protocols required for OneFS services, as listed in the Security Configuration Guide, found under the respective OneFS software release at OneFS Info Hubs.
The Default Subnets Policy (default_subnets_policy) applies to SSIPs and provides rules for the following:
Important: Network Pools do not inherit firewall policies or rules from the firewall policy associated with their respective subnets
Network pools and network subnets always belong to a single firewall policy. This can either be a custom policy, or a default policy. If a subnet or pool is removed from a policy, it is automatically added to the default policy.
An administrator can modify both the Default Pools Policy and the Default Subnets Policy. The default policies are only used when the pool or subnet does not have a custom policy assigned, because each subnet or pool must have a policy assigned. OneFS also provides an option to revert the default policies to factory defaults, with the isi network firewall reset global policy command.