This appendix lists common ports and protocols used in MAAS provisioning and day-2 operations. Use it to build firewall rules, validate reachability, and scope captures. All port numbers are defaults; adjust for your environment.
Legend
- dir: Traffic direction from the perspective of the initiator (
src -> dst)
- proto: TCP or UDP
- who: Typical endpoints
- notes: Quick context or gotchas
Core Provisioning and Control
| Service |
Dir |
Proto |
Port |
Who |
Notes |
| DHCP Discover/Offer |
node → rack |
UDP |
67,68 |
node, rack |
One DHCP per VLAN; relays must target rack IP |
| TFTP (legacy PXE) |
node → rack |
UDP |
69 |
node, rack |
Sensitive to firewalls and latency |
| HTTP boot / images |
node → rack |
TCP |
80 |
node, rack |
Preferred over TFTP on UEFI systems |
| HTTPS boot (optional) |
node → rack |
TCP |
443 |
node, rack |
If you serve boot artifacts over TLS |
| MAAS API / metadata |
node → region |
TCP |
5240 |
node, region |
Commissioning, metadata, UI/API |
| DNS |
node → rack/region |
UDP/TCP |
53 |
node, rack/region |
Name resolution during all phases |
| NTP / Time Sync |
node → ntp |
UDP |
123 |
node, ntp |
Clock skew breaks token auth and TLS |
| Proxy (HTTP/S) |
node → rack |
TCP |
3128 |
node, rack |
MAAS built-in proxy on rack |
| WebSocket / Stream (internal) |
rack → region |
TCP |
5240 |
rack, region |
Keep path clear both ways if ACL’d |
Day-2 OS Operations
| Service |
Dir |
Proto |
Port |
Who |
Notes |
| APT repositories |
node → mirror |
TCP |
80,443 |
node, mirror |
Often via rack proxy |
| Snap endpoints |
node → snap store |
TCP |
443 |
node, internet |
Allow or mirror internally |
| SSH admin access |
admin → node |
TCP |
22 |
admin, node |
Do not expose broadly in production |
| Syslog / Rsyslog (optional) |
node → log |
UDP/TCP |
514 |
node, log |
If central logging is used |
Power Drivers and BMC Access (Common)
| Driver |
Dir |
Proto |
Port |
Who |
Notes |
| IPMI over LAN (RMCP+) |
rack → bmc |
UDP |
623 |
rack, bmc |
Required for ipmitool chassis power operations |
| Redfish / iLO / iDRAC |
rack → bmc |
HTTPS |
443 |
rack, bmc |
Vendor APIs over TLS; certs may be self-signed |
| Legacy BMC Web UI |
admin → bmc |
HTTP/HTTPS |
80,443 |
admin, bmc |
Restrict to admin subnets |
Virtualization and Pods (When Used with MAAS)
| Service |
Dir |
Proto |
Port |
Who |
Notes |
| LXD remote API |
maas/rack → lxd host |
TCP |
8443 |
rack, lxd |
For LXD-based pods |
| Libvirt (QEMU+TCP) |
maas/rack → libvirtd |
TCP |
16509 |
rack, libvirt |
If managing KVM pods directly |
| Libvirt dnsmasq (conflict) |
host → vlan |
UDP |
67,68 |
host, vlan |
Must be disabled on production VLANs |
Optional Enterprise Infrastructure
| Service |
Dir |
Proto |
Port |
Who |
Notes |
| LDAP/LDAPS |
node → directory |
TCP |
389,636 |
node, ldap |
For auth if integrated |
| HTTP proxies with auth |
node → proxy |
TCP |
3128 |
node, proxy |
Inject APT auth via cloud-init |
| Artifact registry |
node → registry |
TCP |
5000 |
node, registry |
Private Docker/OCI registries |
Capture and Filter Crib
BPF snippets for quick packet filters:
- DHCP only:
(port 67 or port 68)
- TFTP only:
udp port 69
- DNS only:
port 53
- HTTP to rack:
tcp port 80 and host <rack-ip>
- Metadata to region:
tcp port 5240 and host <region-ip>
- NTP:
udp port 123
Firewall Sketch (nftables Example)
# Allow core MAAS flows between node subnets and rack/region
nft add rule inet filter forward udp dport {67,68,69,53,123} counter accept
nft add rule inet filter forward tcp dport {80,443,3128,5240} counter accept
# Refine with src/dst subnets, interfaces, and established/related state
Notes on Directionality
- During provisioning, nodes initiate most flows (to rack for DHCP/TFTP/HTTP and to region for metadata).
- Rack → Region connections must be allowed on TCP 5240. Keep-alives may appear as long-lived sessions.
- For external DHCP, ensure option 66 (next-server) and option 67 (bootfile) point to the rack controller.
- When using relays, permit helper traffic from routers to rack and replies back to client VLAN.
