HP-UX IPFilter Version 17 Administrator's Guide
In the previous set of rules, cluster_nodes the IP subnet address for all nodes in the cluster,
and remote_nodes are all other nodes outside the cluster that are designated in the
cmclnodelist file for remote command access.
To enable users on remote nodes to run the cmscancl command, you must also configure rules
to allow remote shell packets (TCP port 514).
15.1.3.3.4 Cluster Object Manager
If you are using a Cluster Object Manager (COM) on a node outside of the cluster to provide
connections to Serviceguard Manager clients, each node in the cluster must have the following
rules configured:
pass in quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state
pass in quick proto udp from com_node to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass out quick proto udp from cluster_nodes to com_node port 49151 >< 65536 keep state
The node running COM must have the following rules configured:
pass in quick proto tcp from com_client to com_node port = 5302 flags S keep state
pass in quick proto tcp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass in quick proto udp from cluster_nodes to com_node port 49151 >< 65536 keep state
pass out quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state
pass out quick proto udp from com_node to cluster_nodes port = 5302 keep state
Each COM client must have the following rules configured:
pass out quick proto tcp from com_client to com_node port = 5303 flags S keep state
In the previous set of rules, cluster_nodes is the subnet address for all nodes in the cluster,
com_client are nodes that are clients of COM for Serviceguard Manager or Continental Clusters
products, and com_node is the node running the COM.
15.1.3.3.5 Serviceguard Manager Plug-in
If you are using the plug-in version of the Serviceguard Manager (supported with Serviceguard
versions A.11.18 and later), you must configure rules to allow packets between the Serviceguard
nodes and the System Management Homepage (SMH) Management Station.
Configure the following rules on each cluster node:
pass in quick proto tcp from smh_mgmt to cluster_nodes port = 2381 keep state
pass in quick proto udp from smh_mgmt to cluster_nodes port = 2381 keep state
pass in quick proto tcp from smh_mgmt to cluster_nodes port = 2301 keep state
pass in quick proto udp from smh_mgmt to cluster_nodes port = 2301 keep state
In the previous set of rules, cluster_nodes is the subnet address for all nodes in the cluster
and smh_mgmt is the address of the SMH Management Station.
15.1.3.3.6 Serviceguard Manager Standalone
If you are using the standalone version of Serviceguard Manager (supported with Serviceguard
versions A.11.14 - A.11.17), you must configure rules to allow all nodes in the cluster exchange
SNMP packets with the Serviceguard Manager node.
Configure the following rules on each cluster node:
pass in quick proto udp from SGMgr_node to cluster_nodes port = 161 keep state
pass out quick proto udp from cluster_nodes to SGMgr_node port = 162 keep state
Each Serviceguard Manager node must have the following rules configured:
pass out quick proto udp from SGMgr_node to cluster_nodes port = 161 keep state
pass in quick proto udp from cluster_nodes to SGMgr_node port = 162 keep state
In the previous set of rules, cluster_nodes is the subnet address for all nodes in the cluster,
and SGMgr_node is address of the node or nodes running Serviceguard Manager.
15.1 Using HP-UX IPFilter with Serviceguard 125