-
Language:
English
-
Language:
English
Appendix C. FirewallD Configuration
An ideal firewall configuration constraints open ports to the required services based on respective clients. This reference environment includes a set of ports for the active cluster along with another set used by the passive cluster, which has an offset of 100 over the original set. Other than the TCP ports accessed by callers, there are also a number of UDP ports that are used within the cluster itself for replication, failure detection and other HA functions. The following firewalld configuration opens the ports for known JBoss services within the set of IP addresses used in the reference environment, while also allowing UDP communication between them on any multicast address. This table shows the ports for the active domain. The passive domain would include an offset of 100 over many of these ports and different usage and configuration of components may lead to alternate firewall requirements.
Below is the node1, node2 and node3 firewalld configuration:
firewall-cmd --permanent --zone=public --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports: 45700/udp 55200/udp 45688/udp 23364/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.19.137.34" port port="3528" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="3528" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="3528" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="3529" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="3529" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="3529" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="4712" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="4712" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="4712" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="4713" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="4713" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="4713" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="5545" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="5545" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="5545" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="5546" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="5546" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="5546" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="7600" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="7600" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="7600" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.37" port port="8009" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="8080" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="8080" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="8080" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="9999" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="9999" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="54200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="54200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="54200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="55200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="55200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="55200" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="57600" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="57600" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="57600" protocol="tcp" accept
Red Hat JBoss Core Services Apache HTTP Server 2.4 has the following firewalld configuration:
firewall-cmd --permanent --zone=public --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports: 443/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.19.137.34" port port="5432" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="5432" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="5432" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="6661" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="6661" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="6661" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.34" port port="6662" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.35" port port="6662" protocol="tcp" accept
rule family="ipv4" source address="10.19.137.36" port port="6662" protocol="tcp" accept
rule family="ipv4" source address="10.10.0.1/8" port port="81" protocol="tcp" accept
rule family="ipv4" source address="10.10.0.1/8" port port="82" protocol="tcp" accept