HP-UX IPFilter Version 15.01 Administrator's Guide
NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic
ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the
dynamic port range using kernel tunable parameters, alter your rules accordingly.
This list does not include all HA applications (such as Continental Cluster). New HA applications
might be developed that use port numbers different from those previously listed. You must add
new rules as appropriate to ensure that all HA applications run properly. The current list of ports
used by Serviceguard are documented in the Serviceguard Release Notes.
Intra-Cluster Communication
To ensure proper operation of your Serviceguard cluster, each of the configured Serviceguard
heartbeat subnets must allow intra-cluster communication. The following rules must be applied
to each subnet.
For a simplified HP-UX IPFilter configuration, use the following rules:
pass in quick from
cluster_nodes to any
pass out quick from any to cluster_nodes
For more restrictive HP-UX IPFilter configurations, use the following rules to allow only the
required cluster services to pass through:
pass in quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
In the previous set of rules, cluster_nodes is the IP subnet address for all nodes in the cluster,
including the local node.
Running the cmscancl command requires the “shell” port be open.
Quorum Server
If your Serviceguard configuration uses a Quorum Server, each node in the cluster must have
the following rule configured:
pass out quick proto tcp from cluster_nodes to quorum_server port = 1238 flags S keep state
Any node providing Quorum Service for another cluster must have the following rule configured:
pass in quick proto tcp from cluster_nodes to quorum_server port = 1238 flags S keep state
In the previous set of rules, cluster_nodes is an IP subnet address for are all nodes in the
cluster utilizing the Quorum Service and quorum_server is the IP address used to access the
Serviceguard Quorum Service software.
Remote Command Execution
If you want nodes outside the cluster to execute Serviceguard commands, as specified in the
etc/cmcluster/cmclnodelist file, additional rules are required.
Each node in the cluster must have the following rules configured:
Using HP-UX IPFilter with Serviceguard 117