This section describes the security settings that are required to allow communication within the cluster.
PRIMECLUSTER uses several protocols/ports for communication within the cluster. Allow communication of protocols/ports for communication within the cluster as follows.
However, in FJcloud-Baremetal, if you allow the protocol/port used by PRIMECLUSTER, the maximum number of security rules will be exceeded. In this case, use the firewall on the OS to restrict communication.
Refer to "Appendix K Using Firewall" in "PRIMECLUSTER Installation and Administration Guide", and set the firewall for each NIC.
In a Bare Metal environment, additional ports/protocols must be allowed.
In addition, add rules based on the security requirements of the customer.
Firewall applied to the administrative LAN
Allow sending to the following port numbers.
These settings are not necessary in a single-node cluster.
Communication destination | Protocol | Port range | Description |
|---|---|---|---|
IP address of DNS server | tcp | 53 | Used for the forced stop |
IP address of DNS server | udp | 53 | Used for the forced stop |
IP address of NTP server | udp | 123 | Used for NTP server query |
Not specified | tcp | 443 | Used for the forced stop |
IP address of the administrative LAN of a destination cluster node | icmp | - | Used for clchkcluster |
Allow receiving from the following port number.
This setting is not necessary in a single-node cluster.
Communication destination | Protocol | Port range | Description |
|---|---|---|---|
IP address of the administrative LAN of a destination cluster node | icmp | - | Used for clchkcluster |
Firewall applied to the cluster interconnect
Allow sending and receiving for the following protocol.
This setting is not necessary in a single-node cluster.
Communication destination | Protocol | Port range | Description |
|---|---|---|---|
IP address of the interconnect of a destination cluster node | 123 | - | Used for the heartbeat |
Firewall applied to the storage network
Allow sending to the following port number.
Communication destination | Protocol | Port range | Description |
|---|---|---|---|
IP address of the block storage (iSCSI) | tcp | 3260 | Used for the connection with the block storage (iSCSI) |
Create the security group for the Web-Based Admin View (on the management client side) with the following values.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
Specified timely | tcp | 3389 | Used for the remote desktop connection |
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
IP address of the cluster node | tcp | 8081 | Used for the management view |
IP address of the cluster node | tcp | 9798 | Used for the management view |
IP address of the cluster node | tcp | 9799 | Used for the management view |
When using the firewall service, add the following to the firewall rule.
Protocol | Source IP address | Destination IP address | Destination port number | Action |
|---|---|---|---|---|
tcp (*1) | Subnet for the administrative LAN | Not specified | 443 | Allow |
udp | Subnet for the administrative LAN | IP address of DNS server | 53 | Allow |
tcp | Subnet for the administrative LAN | IP address of DNS server | 53 | Allow |
udp | Subnet for the administrative LAN | IP address of NTP server | 123 | Allow |
(*1) This setting is not necessary in a single-node cluster.
Note
Add the settings to allow the connection via ssh or the remote desktop connection from the external network as necessary.
When using the yum command, add the following settings. Add or delete these settings as necessary to enhance the security.
Protocol | Source IP address | Destination IP address | Destination port number | Action |
|---|---|---|---|---|
tcp | Subnet for the administrative LAN | IP address to the repository server | 80 | Allow |
tcp | Subnet for the administrative LAN | IP address to the repository server | 443 | Allow |
