Comprehensive Guide to RabbitMQ Port Configuration and Firewall Settings

RabbitMQ Port Overview

RabbitMQ, as an enterprise-grade message broker, relies on multiple TCP ports for network communication. In cluster deployment scenarios, proper firewall configuration to ensure port accessibility is crucial. Based on Q&A data and official documentation, RabbitMQ primarily involves three categories of ports: client communication ports, inter-node cluster communication ports, and management tool ports.

Core Port Function Analysis

Port 4369: Used by the Erlang Port Mapping Daemon (epmd) for node name resolution. In cluster environments, all nodes must be able to access each other's epmd ports, which forms the foundation of node discovery and communication. epmd maintains the mapping between node names and distribution ports. When a node needs to connect to other nodes in the cluster, it first queries the actual communication port of the target node through port 4369.

Port 5672: This is RabbitMQ's default AMQP protocol port, used for message passing between clients and the server. The netstat output shows this port listening on IPv6 interfaces (:::5672), consistent with modern Linux system dual-stack configuration where IPv6 listening automatically includes IPv4 connections. If no explicit tcp_listener is specified in the configuration, RabbitMQ defaults to using this port.

Port 35197: This is a custom inter-node communication port configured through Erlang distribution settings. In the provided configuration example, the distribution port range is limited to a single port 35197 via the inet_dist_listen_min and inet_dist_listen_max parameters. Cluster operations such as metadata synchronization and queue mirror coordination occur through this port.

Cluster Communication Port Requirements

For full cluster functionality, all three core ports need to be open in the firewall:

• Port 4369: Must be open to all cluster nodes to ensure proper node discovery mechanism
• Port 5672: Required for client connections and certain inter-node communications
• Port 35197 (or configured distribution port range): Primary channel for direct node-to-node communication

It's particularly important to note that distribution ports (like 35197) should be accessible only within the cluster's internal network and not exposed to the public internet to minimize security risks.

IPv6 and Dual-Stack Support

The observation from netstat output that port 5672 appears only in the tcp6 line doesn't indicate IPv4 connections are rejected. In modern Linux systems, when a service binds to the IPv6 wildcard address (::), the kernel automatically handles IPv4 connections through IPv6-mapped addresses (::ffff:0.0.0.0). This dual-stack support ensures compatibility with both IPv4 and IPv6 clients without separate configuration.

Other Related Ports

Beyond core cluster ports, RabbitMQ utilizes additional ports for extended functionality:

• 15672: RabbitMQ management plugin HTTP API port (version 3.x)
• 55672: Management plugin port for earlier versions
• 5671: TLS-encrypted AMQP connection port
• 25672: Erlang distribution server port (default calculated as 5672+20000)
• 35672-35682: CLI tool communication port range

The opening of these ports depends on specific features and plugin configurations being used.

Firewall Configuration Practices

When configuring firewalls in production environments, the principle of least privilege is recommended:

1. Open ports only to necessary network ranges
2. Restrict cluster internal communication ports (4369, distribution ports) to private networks
3. Client connection ports (5672) can be opened to specific subnets based on application requirements
4. Management ports (15672, etc.) should have strictly limited access sources

Through proper port planning and firewall configuration, you can build both secure and efficient RabbitMQ cluster environments.