HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

Remote Failover

HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections

to an IPFilter system that are lost during a remote failover must be reinitiated.

Install and configure HP-UX IPFilter on each node of a Serviceguard cluster that must be protected.

The IPFilter configuration for the primary node might be different from the configuration for

the backup nodes.

For example, the backup node might be multihomed and require a different ruleset. Also, rules

could be configured to filter on the static IP address of the receiving node that would be different

for each node in the cluster. Rules that filter on interface names will also be different on different

nodes in a cluster.

Filtering on a Package IP Address

HP-UX IPFilter can filter on a package IP address. The package IP address is an IP address that

corresponds to a logical network interface.

For example, a telnet connection is made to the primary cluster node with a package IP address

of 17.13.24.105. You want to configure IPFilter to let telnet traffic through. Configure the

following rule for incoming telnet connections made to the telnet package:

pass in proto tcp from any to 17.13.24.105 flags S keep state

You can replace 17.13.24.105 with the package name in this rule if the package has been configured

properly and has a DNS entry.

Configure this rule on the backup nodes as well. This ensures that when the telnet package

fails to a backup, there is a rule on the backup that lets telnet connections pass through as

required.

This type of configuration can be used with any package.

Mandatory Rules

Each node in a Serviceguard cluster has specific rules that must be configured. These rules ensure

that:

• Normal remote failovers are not disrupted.

• No false remote failovers occur because traffic is blocked by IPFilter that should not be

blocked.

The classes of mandatory rules cover:

• Intra-Cluster Communication

• Quorum Server

• Remote Command Execution

• Cluster Object Manager

• Serviceguard Manager

Do not block traffic for the following ports:

hacl-qs 1238/tcp # High Availability (HA) Quorum Server

clvm-cfg 1476/tcp # HA LVM configuration

hacl-hb 5300/tcp # High Availability (HA) Cluster heartbeat

hacl-hb 5300/udp # High Availability (HA) Cluster heartbeat

hacl-gs 5301/tcp # HA Cluster General Services

hacl-cfg 5302/tcp # HA Cluster TCP configuration

hacl-cfg 5302/udp # HA Cluster UDP configuration

hacl-probe 5303/tcp # HA Cluster TCP probe

hacl-probe 5303/udp # HA Cluster UDP probe

hacl-local 5304/tcp # HA Cluster commands

hacl-test 5305/tcp # HA Cluster test

hacl-dlm 5408/tcp # HA Cluster distributed lock manager

hacl-poll 5315/ tcp #HA Cluster TCP polling cmappserver for hpvm

112 HP-UX IPFilter and Serviceguard