[Gluster-users] On ports and firewalls
nux at li.nux.ro
Tue Jul 30 19:05:17 UTC 2013
On 24.07.2013 13:11, Nux! wrote:
> On 24.07.2013 08:50, Nux! wrote:
>> Can someone help with this? I need to setup a firewall around a
>> gluster (3.4) setup and I wouldn't like my clients to become peers.
>> So the ports I'd need to watch for would be:
>> management traffic (aka `gluster peer` operations etc) - 24007/tcp,
>> 24008/tcp, 24009+/tcp (for the bricks)
>> client traffic (so clients can mount & use the volume, but not become
>> peers) - ???
>> nfs traffic - 111/udp, 111/tcp & 38465-38468/tcp
> Just noticed 24009 needs to be open for the NFS to work (doh!).
> I'm still waiting for clarifications on which ports I need to open in
> order to allow client mounts, but not "peer" requests.
Thanks to JoeJulian on IRC for explaining to me, turns out there's no
separation that would allow port based restriction.
So, in theory if a client can connect and mount a volume it can also
issue "peer" commands, however - luckily - once a glusterfs deployment
is setup an external node is not authorised to become a peer. For "peer
probe" to work it needs to be initialised by an existing node.
Sent from the Delta quadrant using Borg technology!
More information about the Gluster-users