HP-UX IPFilter Version 17 Administrator's Guide
hacl-local 5304/tcp # HA Cluster commands
hacl-test 5305/tcp # HA Cluster test
hacl-dlm 5408/tcp # HA Cluster distributed lock manager
hacl-poll 5315/ tcp #HA Cluster TCP polling cmappserver for hpvm
NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic
ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the
dynamic port range using kernel tunable parameters, alter your rules accordingly.
This list does not include all HA applications (such as Continental Cluster). New HA applications
might be developed that use port numbers in addition to the listed numbers. You must add new
rules as appropriate to ensure that all HA applications run properly. The current list of ports
used by Serviceguard are documented in the Serviceguard Release Notes.
15.1.3.2.1 Rules for Intra-Cluster Communication
To ensure proper operation of your Serviceguard cluster, you must configure IPFilter rules for
each configured Serviceguard heartbeat subnet to allow intra-cluster communication. There are
two methods to do this:
• Configure rules that allow all intra-cluster packets
• Configure rules that allow intra-cluster packets with specific protocols and ports
15.1.3.2.1.1 Configuring Rules to Allow All Intra-Cluster Packets
For a simplified HP-UX IPFilter configuration, add the following rules to allow all intra-cluster
packets:
pass in quick from cluster_nodes to cluster_nodes
pass out quick from cluster_nodes to cluster_nodes
15.1.3.2.1.2 Configuring Rules to Allow Specific Intra-Cluster Packets
For more restrictive HP-UX IPFilter configurations, use the following rules to allow only packets
for the required cluster services to pass through. The cluster_nodes address in these rules is
the IP subnet address for all nodes in the cluster, including the local node.
pass in quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port 49151><65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
If you are using the Cluster SNMP Agent Daemon (cmsnmpd), configure the following rules:
# Allow cmsnmpd to send and receive traps between cluster nodes
pass out quick proto udp from cluster_nodes to cluster_nodes port = snmp-trap keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = snmp-trap keep state
# Allow cmsnmpd to send and receive snmpGet, snmpSet between cluster nodes
pass in quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
If you are using package IP monitoring, configure the following rules:
15.1 Using HP-UX IPFilter with Serviceguard 123