Main Firewall

You will need a router (with DMZ and VLAN and SPI capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the easily configurable SG-2440 pfSense router (approx $500 in 2015 prices) which has a lot of features. Please check techsoup.org if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.

We only recommend a router/firewall that has the ability to isolate the apache computer (i.e. designate an ip address for the DMZ).

Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment PCI requirement 1.2.
  • Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services.
  • It should be configured to shut down all incoming and outgoing ports except those required for business as per the following:

When you need to set up firewalls on computers, the built in firewall on windows is very flexible. On OSX, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the OSX PF firewall.

Firewall/Router Rules

The main router/firewall is protection from the outside world. If the router has DMZ capability, please set up the DMZ IP address to have the same subnet range as the office lan. This will make it easier to scale up web listeners that talk to the Web Server.

This diagram identifies which traffic is required for Theatre Manager to work in the card holder environment per PCI requirement 1.2.1

Any traffic not required should be denied - and the router should be set to 'deny all' unless explicit permission is given.

In the example below, we'll refer to IP addresses

  • in the office VLAN as 192.168.1.x
  • in VLAN2 (containing wireless devices and/or machines not subject to PCI) as 192.168.2.x
  • and use 192.168.1.10 as the inside address of the DMZ where the Web Server resides, protected on both sides by firewall rules. The outside IP address (internet) also authenticated and verified using an SSL Certificate.

  • The lighter red arrows on the diagram represent places where you could place restrictive rules from specific machines to specific machines. Those rules are outlined in the table below the diagram.
  • The number in the first column of the table refers to the same number on the diagram to give an idea what kind of rules are required for each component. If you combine some services on to the same machine, you will need to aggregate the rules.
  • All ports in the table are TCP
  • Rules are for INITIATED connections (outbound connections). Meaning a machine starts the connection.
  • If an inbound message occurs on an approved port, then ANY port can be used for outgoing response. (i.e. do not block responses to approved inbound messages.

    For example: Item #1, the postgres server, only needs port 5432 incoming to that device. You would turn on the personal firewall on the machine so that it only opens that port.

If you prefer to view the firewall rules from the perspective of specific ports, please refer to ports used by Theatre Manager

Item Machine and Purpose Subject to PCI Virus S/W Inbound Port Rules Outbound Port Rules
1 PostgreSQL server

database

depends no*
  • 5432 from any 192.168.1.x (note: traffic to DB will be using TLS 1.2)
  • all to 192.168.1.x
  • 37 to NTP server
2 Remote Box Office via VPN
(or terminal server)
yes yes*
  • as needed from internet
  • all to internet
  • 5432 to 192.168.1.2 (Postgres Server)
3 Web Services (TM Listener) yes no*
  • 443 from 192.168.1.10 (nginx server)
  • 8111 from other TM listeners if they exist
  • any from 192.168.1.2 (postgres server)
  • any to 192.168.1.10 (NGINX web server)
  • 5432 to 192.168.1.2 (postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to www2.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 25 (or 465 or 587) to SMTP server (as required)
  • 110 to pop server for Facility Mgt
  • 443 outgoing to credit card provider
4 Box Office Workstations yes yes*
  • all from 192.168.1.x
  • 80, 443, 8111 to 192.168.1.10 (web server)
  • 5432 to 192.168.1.2 (postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to www2.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 80 to www.google.com/maps/api/staticmap
  • 80 to help.theatremanager.com
  • 443 outgoing to credit card provider
5 Ticket Printer no n/a
  • 10001 from 192.168.1.x (or whatever port the printer is set on
  • all to 192.168.1.x
6 Web Server (NGINX) yes yes*
  • 80, 443 from internet
  • port 443 to 192.168.1.9 (Web Services TM Listener)
7 Outside of Firewall no n/a
  • 80,443 from internet
  • xxxx from internet or Term Services
  • forward 80,443 to 192.168.1.10 (NGINX Web Server - which automatically escalates to 443)
  • forward xxxx to 192.168.1.4 (Term Server)
8 Internal Wireless Router no n/a
  • all from 192.168.1.1
  • specific to 192.168.2.1 as required
9 Venue Lan computers not handling credit cards
no yes
  • all from 192.168.2.1
  • as needed to 192.168.1.1
10 wireless ticket scanners no n/a  
  • Ticket scanning occurs through the internet via tickets.yourvenue.org and port 443. Open ports to allow scanning traffic to the outside of the router

Ports used by Theatre Manager

The table below describes which ports various components in Theatre Manager uses. With few exceptions, it is possible to change the ports that are being used if you wish. The only ports that should not (or cannot) be changed are:
  • ports 80 & 443 externally for web sales.
  • Outgoing port 443 for credit card authorizations
  • port 37 for a time server
  • port 53 for MX record lookup via a DNS server

If you prefer to view the firewall rules from the perspective of specific machines, please refer to ports used by each machine

Port Meaning Use Security Note
25 (or 465 or 587) SMTP Outgoing TM Server uses this for email for web sales, eblasts and meeting scheduling. note: Workstations do not send emails and do not require access to SMTP server.

Alternate SMTP ports can be used as TM supports (startTLS and other security)

You may wish to place a small SMTP server (like Exchange) within your network so that TM talks to it and allow it to relay to the internet. This also controls outgoing access.

37 NTP Time Server Outgoing OSX and Windows machines use this to syncronize clocks. All machines should be able to synchronize with an NTP server so that transactions and audit logs are accurately recorded when the happen per PCI 10.4 compliance
53 DNS and MX lookup. Outgoing This is used to verify email and web domains during the data entry process to improve data quality
80 HTTP Incoming and Outgoing Incoming is only required to the Web server.

Outgoing for workstations to communicate to:

  • help.theatremanager.com
  • teamviewer
Teamviewer can go out on ports 80 and/or 5938
443 HTTPS Incoming and Outgoing Incoming is required for web sales.

Outgoing is required for TM Server and TM Workstations for

  • Credit Card Authorization
  • www2.artsman.com for autoupdates
  • TM Server for REST API access if enabled
110 (or 993) POP3 Outgoing Facility Management module only: TM has a scheduling function that lets users set up calendar event and send the invitations to users, patrons and volunteers.

The port is used by TM workstation and Server, and only email with valid outlook or iCal attachements are read. All others are discarded. No user checks this email address.

Theatre Manager supports alternate POP3 ports if you prefer.

5000 Web Services Internal The Web Server load balancer communicates to Theatre Manager Web Services on port 5000
8111 Web Template Server Internal This internal port on the web server is a Virtual host used by web services to obtain the custom web page templates from the htdocs folder for merging. It is also used by workstations to obtain web page templates used to send double out-in confirmations as per CASL (Canada's Anti Spam Law)
8201 Cache Server Internal This internal port is used for caching data shared between web service processes.
5432 Postgres Internal This is the standard port for the Postgres database server and is only used within the LAN. Postgres's pg_hba.conf configuration file specifies the IP address ranges (or specfic IP's) that can communicate with the database server. If a machine is not permitted to talk, postgres will does not respond.

Traffic from workstations to postgres is via TLS

10001 Ticket Printer Internal Workstations send a string of characters to print a ticket. The printer responds with status requests as need be.

No outside machine needs access to a ticket printer.

xxxx Terminal Server & Remote Access Incoming A secure connection from the remote box office to the firewall is recommended for security purposes. RDC and Terminal Services establish secure connections. VPN is additional security.