Review firewall requirements (#4210)

* Move port & firewall to Planning and review it
* Review port procedure
* Update installing postgresql to work without firewall snippets
* Drop firewall-cmd snippet from provisioning
* Merge modules on opening ports
* Drop integrated/external proxy definitions

Integrated/external proxy was reported as flawed concept that we should
get rid of.

* Drop obsolete information on outgoing traffic

---------

Co-authored-by: Maximilian Kolb <[email protected]>
Co-authored-by: Ewoud Kohl van Wijngaarden <[email protected]>

Author: 3 people

guides/common/assembly_major-project-components.adoc

@@ -12,6 +12,4 @@ include::modules/ref_list-of-key-open-source-components-of-foreman.adoc[leveloff
 
 include::modules/con_smartproxy-features.adoc[leveloffset=+1]
 
-include::modules/con_smartproxy-networking.adoc[leveloffset=+1]
-
 include::modules/con_major-project-components-additional-resources.adoc[leveloffset=+1]

guides/common/assembly_networking-considerations-in-project.adoc

@@ -0,0 +1,7 @@
+include::modules/con_networking-considerations-in-project.adoc[]
+
+include::modules/con_smart-proxy-networking.adoc[leveloffset=+1]
+
+include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1]
+
+include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]

guides/common/assembly_planning-project-server-installation.adoc

@@ -12,8 +12,6 @@ ifdef::katello,orcharhino,satellite[]
 include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
 endif::[]
 
-include::modules/ref_port-and-firewall-requirements.adoc[leveloffset=+1]
-
 ifeval::["{mode}" == "connected"]
 include::modules/ref_ipv6-and-ipv4-requirements.adoc[leveloffset=+1]
 endif::[]

guides/common/assembly_preparing-environment-for-capsule-installation.adoc

@@ -9,21 +9,15 @@ Review the following prerequisites before you install {SmartProxyServer}.
 
 include::modules/ref_operating-system-requirements.adoc[leveloffset=+1]
 
-// System Requirements
 include::modules/ref_system-requirements.adoc[leveloffset=+1]
 
 ifdef::katello,satellite[]
-// Storage requirements
 include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1]
 
 include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1]
 endif::[]
 
-// Port and Firewall Requirements
-include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1]
-
-// Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer}
-include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1]
+include::modules/proc_opening-required-ports.adoc[leveloffset=+1]
 
 ifdef::parent-context[:context: {parent-context}]
 ifndef::parent-context[:!context:]

guides/common/assembly_preparing-environment-for-project-server-installation.adoc

@@ -2,7 +2,7 @@
 
 include::modules/con_preparing-environment-for-project-server-installation.adoc[]
 
-include::modules/proc_enabling-client-connections-to-project-server.adoc[leveloffset=+1]
+include::modules/proc_opening-required-ports.adoc[leveloffset=+1]
 
 include::modules/proc_verifying-dns-resolution.adoc[leveloffset=+1]
 

guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc

@@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re
 For HTTP booting to work, ensure that your environment has the following client-side configurations:
 
 * All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
-For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
+For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].
 * Your client has access to the DHCP and DNS servers.
 * Your client has access to the HTTP UEFI Boot {SmartProxy}.
 

guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc

@@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you
 * Ensure that your client has access to the DHCP and DNS servers.
 * Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}.
 * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
-For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
+For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].
 
 .Network requirements
 * An unmanaged DHCP server available for clients.

guides/common/modules/con_networking-considerations-in-project.adoc

@@ -0,0 +1,4 @@
+[id="networking-considerations-in-{project-context}"]
+= Networking considerations in {Project}
+
+For the components of {Project} architecture to communicate, the required network ports must be open to enable incoming and outgoing traffic between the components.

guides/common/modules/con_pxe-booting-requirements.adoc

@@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ
 
 .Client requirements
 * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}.
-For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[].
+For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[].
 
 * Ensure that your client has access to the DHCP and TFTP servers.
 

guides/common/modules/con_smart-proxy-networking.adoc

@@ -0,0 +1,37 @@
+[id="{smart-proxy-context}-networking"]
+= {SmartProxy} networking
+
+The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}.
+{SmartProxyServer} also provides {Project} services to hosts.
+
+ifndef::satellite[]
+In a topology with hosts connecting to a {SmartProxyServer}, 
+endif::[]
+ifdef::satellite[]
+In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], 
+endif::[]
+{SmartProxyServer} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxyServer} itself must be open.
+Hosts do not need direct access to {ProjectServer}.
+
+// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
+ifdef::satellite[]
+[id="{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}"]
+.{Project} topology with hosts connecting to a {SmartProxy}
+image::common/topology-isolated-satellite.png[{ProjectName} topology with a host]
+endif::[]
+
+ifndef::satellite[]
+In a topology with hosts connecting directly to {ProjectServer}, 
+endif::[]
+ifdef::satellite[]
+In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], 
+endif::[]
+hosts need direct network access to {ProjectServer}.
+This applies to all {SmartProxyServers} because they are hosts of {ProjectServer}.
+
+// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements"
+ifdef::satellite[]
+[id="{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server"]
+.{Project} topology with hosts connecting directly to {ProjectServer}
+image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host]
+endif::[]