Jenkins Slave port number for firewall

Question

We use Jenkins 1 504 on Windows   We need to have Master and Slave in different sub-networks with firewall in between  We can t have ANY to ANY port firewall rules  we must specify exact port numbers   I know the port Master is listening on   I also see that Slave opens connection to the Master from the arbitrary port dynamically assigned every run  and port on the Master side is also arbitrary  I can fix Master s port by specifying it in Manage Jenkins   Configure Global Security   TCP port for JNLP slave agents    How to fix Slave port    UPDATE  Found Connection Mechanism described here  https   wiki jenkins-ci org display JENKINS Jenkins CLI JenkinsCLI-Connectionmechanism  I think it might work for us  but still would be better to have fixed-2-fixed ports connection

User · Answer

I have a similar scenario  and had no problem connecting after setting the JNLP port as you describe  and adding a single firewall rule allowing a connection on the server using that port   Granted it is a randomly selected client port going to a known server port  a host ANY -  server 1 rule is needed    From my reading of the source code  I don t see a way to set the local port to use when making the request from the slave   It s unfortunate  it would be a nice feature to have   Alternatives   Use a simple proxy on your client that listens on port N and then does forward all data to the actual Jenkins server on the remote host using a constant local port   Connect your slave to this local proxy instead of the real Jenkins server   Create a custom Jenkins slave build that allows an option to specify the local port to use   Remember also if you are using HTTPS via a self-signed certificate  you must alter the configuration jenkins-slave xml file on the slave to specify the -noCertificateCheck option on the command line

User · Answer

A slave isn t a server  it s a client type application  Network clients  almost  never use a specific port  Instead  they ask the OS for a random free port  This works much better since you usually run clients on many machines where the current configuration isn t known in advance  This prevents thousands of  client wouldn t start because port is already in use  bug reports every day   You need to tell the security department that the slave isn t a server but a client which connects to the server and you absolutely need to have a rule which says client ANY -  server FIXED  The client port number should be    1024  ports 1 to 1023 need special permissions  but I m not sure if you actually gain anything by adding a rule for this - if an attacker can open privileged ports  they basically already own the machine   If they argue  then ask them why they don t require the same rule for all the web browsers which people use in your company

User · Answer

We had a similar situation  but in our case Infosec agreed to allow any to 1  so we didnt had to fix the slave port  rather fixing the master to high level JNLP port 49187 worked   Configure Global Security  -   TCP port for JNLP slave agents      TCP 49187 - Fixed jnlp port 8080 - jenkins http port   Other ports needed to launch slave as a windows service  TCP 135  139  445  UDP 137 138

[jenkins] Jenkins Slave port number for firewall

Examples related to jenkins

Examples related to port

Examples related to firewall

Examples related to slave