HP-UX IPFilter Version 16 Administrator's Guide
# Allow hacl-poll for HA Cluster TCP polling (cmappserver for hpvm or APPSERV)
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state
To enable users on cluster nodes to run the cmscancl command, you must configure rules to
allow remote shell packets (TCP port 514).
Rules for External Access
The following subsections describe rules to allow packets for external clients and servers used
in a Serviceguard environment. These sections provide guidelines only. You might need to
modify them to work with your network configuration and the applications you use. Specific
applications used within the Serviceguard cluster might require additional ports to be opened.
WBEM Access
Configure the following rules on each cluster node to allow non-secure WBEM client access:
#wbem-http for using Cluster WBEM Agent Daemon (cmwbemd)
pass in quick proto tcp from wbem_clients to cluster_nodes port = 5988 flags S keep state
pass out quick proto tcp from cluster_nodes port = 5988 to wbem_clients flags S keep state
Configure the following rules to allow secure WBEM client access:
#wbem-https if using Cluster WBEM Agent Daemon (cmwbemd)
pass in quick proto tcp from wbem_clients to cluster_nodes port = 5989 flags S keep state
pass out quick proto tcp from cluster_nodes port = 5989 to wbem_clients flags S keep state
In the previous rule sets, cluster_nodes is an IP subnet address for are all nodes in the cluster
that allow WBEM access and wbem_clients is an IP subnet address for WBEM clients.
Quorum Server
If your Serviceguard configuration uses a Quorum Server, each node in the cluster must have
the following rule configured:
pass out quick proto tcp from cluster_nodes to quorum_server port = 1238 flags S keep state
Any node providing Quorum Service for another cluster must have the following rule configured:
pass in quick proto tcp from cluster_nodes to quorum_server port = 1238 flags S keep state
In the previous set of rules, cluster_nodes is the IP subnet address for are all nodes in the
cluster utilizing the Quorum Service and quorum_server is the IP address used to access the
Serviceguard Quorum Service software.
Remote Command Execution
If you want nodes outside the cluster to execute Serviceguard commands, as specified in the
etc/cmcluster/cmclnodelist file, additional rules are required.
Each node in the cluster must have the following rules configured:
pass in quick proto tcp from remote_nodes to cluster_nodes port = 5302 flags S keep state
pass in quick proto udp from remote_nodes to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to remote_node port 49151><65536 keep state
pass out quick proto udp from cluster_nodes to remote_node port 49151><65536 keep state
Each remote node must have the following rules configured:
pass in quick proto tcp from cluster_nodes to remote_node port 49151 >< 65536 keep state
pass in quick proto udp from cluster_nodes to remote_node port 49151 >< 65536 keep state
pass out quick proto tcp from remote_nodes to cluster_nodes port = 5302 flags S keep state
pass out quick proto udp from remote_nodes to cluster_nodes port = 5302 keep state
In the previous set of rules, cluster_nodes the IP subnet address for all nodes in the cluster,
and remote_nodes are all other nodes outside the cluster that are designated in the
cmclnodelist file for remote command access.
To enable users on remote nodes to run the cmscancl command, you must also configure rules
to allow remote shell packets (TCP port 514).
114 HP-UX IPFilter and Serviceguard