Firewalls

There may be various firewalls in between the JetStream server and clients. Exceptions or other rules may need to be added to the firewalls protecting the server to allow clients to connect. Typically this means opening and possibly forwarding port 8886 (both TCP and UDP). See Requirements for a list of ports potentially used by the server.

OS Firewalls

The OS on the machine hosting the JetStream may be running a software firewall. The following are the most common default firewalls.

CentOS 7

By default, the CentOS 7 firewall firewalld is enabled. To allow connection to the JetStream server, you will need to configure or disable the firewall. For instance:

  • Allow port 8886 through the firewall:
    # sudo firewall-cmd --permanent --zone=public --add-port=8886/tcp --add-port=8886/udp
    # sudo systemctl restart firewalld
    
  • Disable the firewall:
    # sudo systemctl stop firewalld
    # sudo systemctl disable firewalld
    

Ubuntu 18.04

By default, the Ubuntu firewall ufw is disabled. If you choose to enable it, then you will need to configure it to allow connections to the JetStream server. For instance:

# sudo ufw allow 8886

macOS

By default, the macOS firewall is disabled. It can be configured by navigating to System Preferences ‣ Security & Privacy ‣ Firewall. When enabled, the default setting Automatically allow downloaded signed software to receive incoming connections should allow connections to the JetStream server. If this option is off, or JetStream is blocked for any reason, then an exception can be added by selecting jetstream from the presented list:

../_images/firewall-macos.png

Windows

By default, the Windows firewall is enabled. The JetStream installation automatically adds an exception to allow connections to the JetStream server.

To adjust the firewall configuration, navigate to Start menu ‣ Windows Administrative Tools ‣ Windows Defender Firewall with Advanced Security.

External Firewalls

To allow clients to connect to the JetStream server from an external network, any external firewalls between the server and the internet will need to be configured. Typical configuration tasks include:

  • Port Forwarding: Allow ports 8886/tcp and 8886/udp to be redirected to the JetStream server.

  • Allow Licensing: The server needs to make an outgoing to licensing.gojetstream.io on port 8885/TCP. If outgoing connections are restricted, a rule should be added to allow the server to contact the license server.

  • Check QoS Settings: Some firewalls restrict or deprioritize UDP traffic which can reduce transfer performance. If the connection is slower than expected, you may need to adjust your QoS settings.

Firewalls have various security policies that may sometimes interfere with normal server operations. These include:

  • Deep Packet Inspection: Some enterprise firewalls provide “Deep Packet Inspection” or “Layer 7 Scanning” options that can block JetStream traffic. These systems can miscategorize JetStream network traffic and therefore block it, sometimes after many hours of operation. In these cases, add an exception according to the firewall documentation.

  • SSL Inspection: Some enterprise firewalls provice “SSL Inspection”. When enabled, the firewall replaces SSL certificates with their own, allowing them to analyze encrypted network traffic. This feature can prevent a JetStream server from successfully connecting to the license server at licensing.gojetstream.io, resulting in a licensing error such as “Failed to load license server certificate.” The firewall settings need to be adjusted to resolve this issue.