There are three main Kerberos components:
Different types of traffic go between each pair of components your firewall is between. Depending on the pair of components your firewall is between, you will need to allow different types of traffic through your firewall.
Note: The notation xxxx/udp or xxxx/tcp used in the following table refers to an ephemeral port number (that is, >1024). This refers to a return port that the system assigns. The only assumption you can make about the port number is that it will be greater than 1024.
You may need to configure your firewall to allow traffic between a client program and the KDC on the following ports and protocols:
|
Client Application |
To KDC |
Return Traffic |
|---|---|---|
|
Ticket requests (for example, kinit) |
88/udp |
xxxx/udp |
|
Kerberos 5-to-4 ticket conversion |
4444/udp |
xxxx/udp |
|
Changing password (kpasswd under Unix) |
749/tcp |
xxxx/tcp |
|
Changing password (under Windows, old interface) |
464/tcp |
xxxx/tcp |
|
Changing password (under Windows, new interface) |
464/udp |
xxxx/udp |
|
Running kadmin (also requires initial ticket, 88/udp) |
749/tcp |
xxxx/tcp |
You may need to configure your firewall to allow traffic between an application server and the KDC on the following ports/protocols:
|
Application Server |
To KDC |
Return Traffic |
|---|---|---|
|
Initial ticket request (for example, kinit) |
88/udp |
xxxx/udp |
|
Kerberos 5-to-4 ticket conversion |
4444/udp |
xxxx/udp |
You may need to configure your firewall to allow traffic between a client program and an application server on the following ports/protocols:
|
Application Program Server |
To Server |
To ClientTraffic |
|---|---|---|
|
rlogin/rlogind (w/o encryption) |
543/tcp |
xxxx/tcp |
|
rlogin/rlogind (w/encryption) |
2105/tcp |
xxxx/tcp |
|
rsh/rshd |
544/tcp |
xxxx/tcp |
|
pop/popper |
1109/tcp |
xxxx/tcp |
|
telnet/telnetd |
Same as non-kerberos telnet/telnetd |
|
|
ftp/ftpd |
Same as non-kerberos ftp/ftpd |
|
|
Copyright © 2013 CA.
All rights reserved.
|
|