Appendix K Using Firewall

When using Firewall, perform either of the following procedures because the cluster may not operate normally.

Allow the communication interface used by PRIMECLUSTER.
Allow the port number used by PRIMECLUSTER.

This chapter provides examples for configuring Firewall by using firewalld and iptables or ip6tables.

Configure the settings in accordance with the security policy.

See

For details on firewalld, see the man manual or other related documentation for the firewalld(1) or firewall-cmd(1) command.
For details on iptables, see the man manual or other related documentation for the iptables(8) command.
For details on ip6tables, see the man manual or other related documentation for the ip6tables(8) command.

When allowing the communication interface used by PRIMECLUSTER

With PRIMECLUSTER, communication interfaces are used on the administrative LAN and the cluster interconnects. Configure the settings to allow both communication interfaces.

The following is an example to allow sending and receiving the communication interface "cip0" of the cluster interconnect.

firewalld
The option of the firewall-cmd command which changes the settings of firewalld differs in the following two situations. One is for when an interface which is not registered in the zone is added to "zone=trusted". The other is for when an interface which is registered in another zone is changed to "zone=trusted".
Add interface cip0 which is not originally registered in the zone to zone=trusted
```
Format:   firewall-cmd --permanent --zone=trusted --add-interface=<interface>
```
```
Example:  firewall-cmd --permanent --zone=trusted --add-interface=cip0
```
Change zone of interface cip0 which is originally registered in another zone to trusted
```
Format:   firewall-cmd --permanent --zone=trusted --change-interface=<interface>
```
```
Example:  firewall-cmd --permanent --zone=trusted --change-interface=cip0
```

iptables or ip6tables

Format:  -A INPUT -i <input-interface> -j ACCEPT
         -A OUTPUT -o <output-interface> -j ACCEPT

Example: -A INPUT -i cip0 -j ACCEPT
         -A OUTPUT -o cip0 -j ACCEPT

When allowing the port number used by PRIMECLUSTER

See both "Appendix I Startup Scripts and Startup Daemons, and Port Numbers in PRIMECLUSTER" and "Appendix J Systemd Services and Startup Daemons, and Port Numbers in PRIMECLUSTER," and allow communication of all port numbers used by PRIMECLUSTER.

The following is an example to allow communications of some port numbers used by the cluster resource management facility between the local node and other nodes.

firewalld

Allow communication to specific port number

Format:    firewall-cmd --permanent --zone=<zone> --add-port=<destination-port-number>/<tcp/udp>

Example:    firewall-cmd --permanent --zone=public --add-port=9383/tcp

Allow communication from specific port number

Command option of IPv4 and IPv6 differ from each other.

IPv4

Format:     firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p <tcp/udp> --sport <source-port-number> -j ACCEPT

Example:    firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 9383 -j ACCEPT

IPv6

Format:     firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p <tcp/udp> --sport <source-port-number> -j ACCEPT

Example:    firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --sport 9383 -j ACCEPT

iptables or ip6tables

Format:  -A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --dport <destination-port-number> -j ACCEPT
         -A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --sport <source-port-number> -j ACCEPT

Example: -A INPUT -p tcp -m tcp --dport 9383 -j ACCEPT
         -A OUTPUT -p tcp -m tcp --sport 9383 -j ACCEPT
         -A INPUT -p tcp -m tcp --sport 9383 -j ACCEPT
         -A OUTPUT -p tcp -m tcp --dport 9383 -j ACCEPT

Note

If you changed the configuration of firewalld by the '--permanent' option of firewall-cmd, restart the firewalld service.
If you changed the configuration of iptables, perform one of the following operations instead of restarting the iptables service.
- Restarting the cluster node
- Reflecting the change by iptables-restore
If you changed the configuration of ip6tables, perform one of the following operations instead of restarting the ip6tables service.
- Restarting the cluster node
- Reflecting the change by ip6tables-restore
When using the state module in iptables or ip6tables, configure settings to allow communications of PRIMECLUSTER before the state module settings.
In the following example, communications of cluster interconnects are allowed before the state module settings.
```
Example: -A INPUT -i cip0 -j ACCEPT
         -A OUTPUT -o cip0 -j ACCEPT
         -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
         -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
```