I must confess that when testing new Openstack releases on a variety of different Linux distros (RHEL, Fedora, Ubuntu) I often disable the firewall in the interests of expediency. While this might be OK for internal testing in a lab environment or while preparing a Proof of Concept (PoC) for a client, this is definitely a bad habit that is unacceptable for a production environment.
I recently did a Devstack install on Ubuntu 15.10 to test upstream Openstack compatibility with the Sheepdog distributed storage backend. This time I left the firewall running (ufw, aka uncomplicated firewall for Ubuntu) and opened the ports necessary for Openstack to run.
Before I present the list of ports which must be opened, note that you can find all these port numbers in the conf files for Glance, Cinder, Nova, Keystone, etc. in /etc/glance/glance-api.conf, /etc/nova/nova.conf, /etc/cinder/cinder.conf, and so on.
In the conf files, many ports will be commented out. For example, it is possible to connect Nova Compute with Amazon EC2 so it can launch instances from AWS. To do so, you would have to open TCP port 8773 in your firewall on your compute node, but this is commented out by default in nova.conf.
Here is the list of ports I have compiled. All ports are TCP unless specified otherwise:
AMQP/RabbitMQ: 5672 (5671 if rabbitmq uses SSL auth)
Glance glance-api.conf: registry_port=9191
Nova novncproxy: 6080
Nova ec2_port: 8773 (commented out by default)
Nova metadata: 8775 (commented out by default)
Nova iSCSI target: 3260 (commented out by default)
Nova nova.virt.xenapi.image.bittorrent: 6881~6891 (commented out by default)
Nova redis host: 6379 (commented out by default)
Neutron ovs_neutron_plugin.ini: vxlan_udp_port=4789
Nova s3_port=3333 (commented out by default)
(there are more, but those ports are optional)
I have written a simple bash script that can be used to open the necessary ports in ufw. You can find the script at the following URL: