Manualshelf

Configuring firewall rules for HP Serviceguard on SUSE SLES and Red Hat

ManualsBrandsHP ManualsSoftwareHP SAP Linux Serviceguard Cluster Extension
123456
2
Introduction
This white paper explains how to configure firewall rules for HP Serviceguard on SUSE SLES and Red Hat distributions of
Linux. Before deploying a Serviceguard Cluster, ports used by Serviceguard have to be enabled, as these ports may
remain blocked in a default system firewall configuration. This document is intended to be read in conjunction with the
“Compatibility” section of the latest version of the HP Serviceguard for Linux Release Notes.
NOTE: This document assumes that you are using the default firewall configuration for your Linux distribution. If not,
you may need to adjust the instructions to fit your environment.
Audience
Readers should be knowledgeable about networking security and the SUSE or Red Hat version of Linux, and have a good
working knowledge of Serviceguard for Linux. For more information about the security aspects of Serviceguard check
Securing Serviceguard White paper. For more information about Serviceguard, visit hp.com/go/linux-serviceguard-docs.
Revision history
First edition: April 2009
Second edition: June 2012
Configuring firewall rules on Red Hat 5 and Red Hat 6
Using the command line
CAUTION
If you use the command line to configure the rules you must never use the GUI tool for the same purpose.
Note:
Prior to configuring the firewall rules on Serviceguard clusters A.11.19 and later, perform the workaround mentioned
for the QXCR1001220269 in the latest version of the
HP Serviceguard for Linux Release Notes.
Rules mentioned here are for ports used by Serviceguard alone and do not include the ports used by applications for
any of the Serviceguard toolkits.
By default, Red Hat 6 blocks some ports. It is essential to apply the firewall rules to allow Serviceguard cluster nodes
to communicate with each other.
The following are examples of the raw iptables and ip6tables commands for the various services. In general you need to
add the following:
iptables -N Serviceguard
iptables -I INPUT -j Serviceguard
ip6tables -N Serviceguard
ip6tables -I INPUT -j Serviceguard
For the basic Serviceguard installation:
iptables -A Serviceguard -p tcp --dport ident -j ACCEPT
iptables -A Serviceguard -p udp --dport hacl-cfg -j ACCEPT
iptables -A Serviceguard -p tcp --dport hacl-cfg -j ACCEPT
iptables -A Serviceguard -p udp --dport hacl-hb -j ACCEPT
iptables -A Serviceguard -p tcp --dport hacl-hb -j ACCEPT
ip6tables -A Serviceguard -p tcp --dport ident -j ACCEPT
ip6tables -A Serviceguard -p udp --dport hacl-cfg -j ACCEPT
ip6tables -A Serviceguard -p tcp --dport hacl-cfg -j ACCEPT
ip6tables -A Serviceguard -p udp --dport hacl-hb -j ACCEPT
ip6tables -A Serviceguard -p tcp --dport hacl-hb -j ACCEPT
iptables -A Serviceguard -p tcp --dport hacl-local -j ACCEPT
ip6tables -A Serviceguard -p tcp --dport hacl-localj ACCEPT
lower_dynamic=$(cat /proc/sys/net/ipv4/ip_local_port_range|awk '{ print $1 }')
upper_dynamic=$(cat /proc/sys/net/ipv4/ip_local_port_range|awk '{ print $2 }')