Failsafe rules
To avoid completely cutting off a host via incorrect or malformed policy, Calico has a failsafe mechanism that keeps various pinholes open in the firewall.
By default, Calico keeps the following ports open on all host endpoints:
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 22 | TCP | Inbound | SSH access |
| 53 | UDP | Outbound | DNS queries |
| 67 | UDP | Outbound | DHCP access |
| 68 | UDP | Inbound | DHCP access |
| 179 | TCP | Inbound & Outbound | BGP access (Calico networking) |
| 2379 | TCP | Inbound & Outbound | etcd access |
| 2380 | TCP | Inbound & Outbound | etcd access |
| 5473 | TCP | Inbound & Outbound | etcd access |
| 6443 | TCP | Inbound & Outbound | Kubernetes API server access |
| 6666 | TCP | Inbound & Outbound | etcd self-hosted service access |
| 6667 | TCP | Inbound & Outbound | etcd self-hosted service access |
The lists of failsafe ports can be configured via the configuration parameters
FailsafeInboundHostPorts and FailsafeOutboundHostPorts
described in Configuring Felix
. They
can be disabled by setting each configuration value to "[]".
Removing the inbound failsafe rules can leave a host inaccessible.
Removing the outbound failsafe rules can leave Felix unable to connect to etcd.
Before disabling the failsafe rules, we recommend creating a policy to replace it with more-specific rules for your environment: see Creating policy for basic connectivity.