HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

100

for each node in the cluster. Rules that filter on interface names will also be different on different

nodes in a cluster.

Filtering on a package IP address

HP-UX IPFilter can filter on a package IP address. The package IP address is an IP address that

corresponds to a logical network interface.

For example, a telnet connection is made to the primary cluster node with a package IP address

of 17.13.24.105. You want to configure IPFilter to let telnet traffic through. Configure the

following rule for incoming telnet connections made to the telnet package:

pass in proto tcp from any to 17.13.24.105 flags S keep state

You can replace 17.13.24.105 with the package name in this rule if the package has been

configured properly and has a DNS entry.

Configure this rule on the backup nodes as well. This ensures that when the telnet package fails

to a backup, there is a rule on the backup that lets telnet connections pass through as required.

This type of configuration can be used with any package.

Mandatory rules

Each node in a Serviceguard cluster has specific rules that must be configured. These rules ensure

that:

• Normal remote failovers are not disrupted.

• No false remote failovers occur because traffic is blocked by IPFilter that should not be blocked.

The classes of mandatory rules cover:

• Intra-Cluster Communication

• Quorum Server

• Remote Command Execution

• Cluster Object Manager

• Serviceguard Manager

Do not block traffic for the following ports:

hacl-qs 1238/tcp # High Availability (HA) Quorum Server

clvm-cfg 1476/tcp # HA LVM configuration

hacl-hb 5300/tcp # High Availability (HA) Cluster heartbeat

hacl-hb 5300/udp # High Availability (HA) Cluster heartbeat

hacl-gs 5301/tcp # HA Cluster General Services

hacl-cfg 5302/tcp # HA Cluster TCP configuration

hacl-cfg 5302/udp # HA Cluster UDP configuration

hacl-probe 5303/tcp # HA Cluster TCP probe

hacl-probe 5303/udp # HA Cluster UDP probe

hacl-local 5304/tcp # HA Cluster commands

hacl-test 5305/tcp # HA Cluster test

hacl-dlm 5408/tcp # HA Cluster distributed lock manager

hacl-poll 5315/ tcp #HA Cluster TCP polling cmappserver for hpvm

NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic

ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the

dynamic port range using kernel tunable parameters, alter your rules accordingly.

This list does not include all HA applications (such as Continental Cluster). New HA applications

might be developed that use port numbers in addition to the listed numbers. You must add new

rules as appropriate to ensure that all HA applications run properly. The current list of ports used

by Serviceguard are documented in the Serviceguard Release Notes.

94 HP-UX IPFilter and Serviceguard