Bug 748935 - Clarify iptables filters for RHEL 5.8
Summary: Clarify iptables filters for RHEL 5.8
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: Documentation-cluster
Version: 5.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Steven J. Levine
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-25 15:49 UTC by Steven J. Levine
Modified: 2012-02-29 21:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-29 21:33:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steven J. Levine 2011-10-25 15:49:47 UTC 
As part of the docs QE review for 6.2, we wound up sending the documentation for configuring iptables rules to Fabio Di Nitto for further technical review. His review comments apply to RHEL 5 as well, so we need to update this information in the RHEL 5 version of the document.

These are the two email exchanges about these updates:

HI Steven,

yes, all the changes we did in 6 should apply pristine to 5, modulo
corosync vs openais naming.

Fabio

On 10/24/2011 10:38 PM, Steven Levine wrote:
> > Fabio:
> > 
> > The RHEL 5.7 version of the Cluster Administration document has the
> > same chapter on configuring the iptables firewall that you reviewed
> > for RHEL 6. I think your review comments apply here as well, so I'd
> > like to update this for RHEL 5.8.
> > 
> > Here is what it looks like currently:
> > 
> > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Cluster_Administration/s1-iptables_firewall-CA.html
> >
> >  1. I will rename the section to "Configuring the iptables Firewall
> > to Allow Cluster Components", as we did for RHEL 6.
> > 
> > 2. For openais, the manual currently says this: ------- For
> > openais:
> > 
> > iptables -I INPUT -p udp -m state --state NEW -m multiport
> > --dports 5404,5405 -j ACCEPT -----------
> > 
> > Would it be correct to say what we said for corosync in RHEL 6:
> > 
> > --------------- For openais, use the following filtering. Port 5405
> > is used to receive multicast traffic.
> > 
> > iptables -I INPUT -p udp -m state --state NEW -m multiport
> > --dports 5404,5405 -j ACCEPT ---------------
> > 
> > 3. The RHEL 5.7 document says this: There is no special
> > consideration for rgmanager on Red Hat Enterprise Linux 5; it uses
> > ports 5404/5405.
> > 
> > Would it be correct to change that to what we said for RHEL 6, 
> > substituting openais for corosync: ---------- In Red Hat Enterprise
> > Linux 5, rgmanager does not access the network directly; rgmanager
> > communication happens by means of openais network transport.
> > Enabling openais allows rgmanager (or any openais clients) to work
> > automatically. ----------- Thanks,
> > 
> > -Steven


-------------------------


Actually ... I just realized that there is a section missing in the
RHEL-5 docs.

rhel5 has also ccsd running.

ccsd needs:

udp 50007
tcp 50008

Fabio
Comment 1 Steven J. Levine 2011-10-25 17:41:20 UTC 
Latest exchange:

Hi Steven,

very close:

iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports
50007,50008 -j ACCEPT

this would be incorrect.. sorry I should have wrote it explicitly in the
first email:

iptables -I INPUT -p udp -m state --state NEW -m multiport --dports
50007 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports
50008 -j ACCEPT

Fabio
Comment 2 Steven J. Levine 2011-10-25 17:44:14 UTC 
I have updated the Cluster Administration document as per Fabio's comments and checked the latest draft files in the SVN repository, so I'm putting this bug in MODIFIED. When I next build the document I will put it in ON_QA.
Note You need to log in before you can comment on or make changes to this bug.