Skip to main content
Version: 3.28 (latest)

Failsafe rules

To avoid completely cutting off a host via incorrect or malformed policy, Calico has a failsafe mechanism that keeps various pinholes open in the firewall.

By default, Calico keeps the following ports open on all host endpoints:

22TCPInboundSSH access
53UDPOutboundDNS queries
67UDPOutboundDHCP access
68UDPInboundDHCP access
179TCPInbound & OutboundBGP access (Calico networking)
2379TCPInbound & Outboundetcd access
2380TCPInbound & Outboundetcd access
5473TCPInbound & Outboundetcd access
6443TCPInbound & OutboundKubernetes API server access
6666TCPInbound & Outboundetcd self-hosted service access
6667TCPInbound & Outboundetcd self-hosted service access

The lists of failsafe ports can be configured via the configuration parameters FailsafeInboundHostPorts and FailsafeOutboundHostPorts described in Configuring Felix . They can be disabled by setting each configuration value to "[]".


Removing the inbound failsafe rules can leave a host inaccessible.

Removing the outbound failsafe rules can leave Felix unable to connect to etcd.

Before disabling the failsafe rules, we recommend creating a policy to replace it with more-specific rules for your environment: see Creating policy for basic connectivity.