HP-UX IPFilter Version 15.01 Administrator's Guide

pass in quick proto tcp from remote_nodes to cluster_nodes port = 5302 flags S keep state
pass in quick proto udp from remote_nodes to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to remote_node port 49151><65536 keep state
pass out quick proto udp from cluster_nodes to remote_node port 49151><65536 keep state
Each remote node must have the following rules configured:
pass in quick proto tcp from cluster_nodes to remote_node port 49151 >< 65536 keep state
pass in quick proto udp from cluster_nodes to remote_node port 49151 >< 65536 keep state
pass out quick proto tcp from remote_nodes to cluster_nodes port = 5302 flags S keep state
pass out quick proto udp from remote_nodes to cluster_nodes port = 5302 keep state
In the previous set of rules, cluster_nodes is an IP subnet address for all nodes in the cluster,
remote_node is the address of a remote node, and remote_node are all other nodes outside
the cluster that are designated in the cmclnodelist file for remote command access.
Running the cmscancl command requires the “shell” port be open.
Cluster Object Manager
If you are using a Cluster Object Manager (COM) on a node outside of the cluster to provide
connections to Serviceguard Manager clients, each node in the cluster must have the following
rules configured:
pass in quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state
pass in quick proto udp from com_node to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass out quick proto udp from cluster_nodes to com_node port 49151 >< 65536 keep state
The node running COM must have the following rules configured:
pass in quick proto tcp from com_client to com_node port = 5303 flags S keep state
pass in quick proto tcp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass in quick proto udp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass out quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state
pass out quick proto udp from com_node to cluster_nodes port = 5302 keep state
Each COM client must have the following rules configured:
pass out quick proto tcp from com_client to com_node port = 5303 flags S keep state
In the previous set of rules, cluster_nodes are all nodes in the cluster, com_client are nodes
that are clients of COM for Serviceguard Manager or Continental Clusters products, and
com_node is the node running the COM.
Serviceguard Manager
If you are using the station-management version of Serviceguard Manager, you must configure
rules to let SNMP traffic pass between all nodes in the cluster and the Serviceguard Manager
node.
Each cluster node must have the following rules configured:
pass in quick proto udp from SGMgr_node to cluster_nodes port = 161 keep state
pass out quick proto udp from cluster_nodes to SGMgr_node port = 162 keep state
Each Serviceguard Manager node must have the following rules configured:
pass out quick proto udp from SGMgr_node to cluster_nodes port = 161 keep state
pass in quick proto udp from cluster_nodes to SGMgr_node port = 162 keep state
In the previous set of rules, cluster_nodes are all nodes in the cluster, including the local
node, and SGMgr_node is the node or nodes running Serviceguard Manager.
118 HP-UX IPFilter and Serviceguard