ignite-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Tricker <jtric...@temenos.com>
Subject Questions on setting up firewall for multicast cluster discovery.
Date Fri, 29 Jun 2018 10:40:27 GMT
Am trying to set up a couple of 2.5.0  nodes on CentOS boxes. I have opened the recommended
ports:

firewall-cmd --add-port=47500-47502/tcp
firewall-cmd --add-port=47100-47200/tcp
firewall-cmd --add-port=47400/udp

I see an initial UDP packet, to the ignite multicast group address, received correctly on
destination port 47400. However then the remote node (x.y.2.84 in the following trace) sends
a second UDP packet from 47400 to a random port on the local machine (x.y.2.99). Giving the
following firewall trace and failure to join the cluster.

Jun 29 11:00:21 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00
SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=30905 DF PROTO=UDP SPT=47400
DPT=35072 LEN=523
Jun 29 11:01:22 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00
SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=65234 DF PROTO=UDP SPT=47400
DPT=47668 LEN=523
Jun 29 11:01:22 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00
SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=47400 DPT=40812
LEN=523

Obviously I don't know the address of the remote machine in advance. Or the incoming port
number. The only option seems to be opening the entire random port range to UDP traffic:

firewall-cmd --add-port=1024-65535/udp

This works and the cluster is joined. However, even if this could also be limited to source
port 47400, it is dangerous. Remote malware could use that port to access other services.

Is there a better way to do this?


The information in this e-mail and any attachments is confidential and may be legally privileged.
It is intended solely for the addressee or addressees. Any use or disclosure of the contents
of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful.
If you have received this e-mail in error please notify the sender. Please note that any views
or opinions presented in this e-mail are solely those of the author and do not necessarily
represent those of TEMENOS. We recommend that you check this e-mail and any attachments against
viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus
transmitted by this e-mail.

Mime
View raw message