Firewall recommendations for protocol access
It is recommended to use certain port numbers to secure the protocol data transfer.
Recommendations for NFS access
The following table provides the list of static ports that are used for NFS data I/O.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 2049 | TCP and UDP | NFSV4 or NFSV3 | NFS clients and IBM Storage Scale protocol node |
| 111 | TCP and UDP | RPC (required only by NFSV3) | NFS clients and IBM Storage Scale protocol node |
| User-defined static port | TCP and UDP | STATD (required only by NFSV3) | NFS clients and IBM Storage Scale protocol node |
| User-defined static port | TCP and UDP | MNT (required only by NFSV3) | NFS clients and IBM Storage Scale protocol node |
| User-defined static port | TCP and UDP | NLM (required only by NFSV3) | NFS clients and IBM Storage Scale protocol node |
| User-defined static port | TCP and UDP |
RQUOTA (required by both NFSV3 and NFSV4) |
NFS clients and IBM Storage Scale protocol node |
Note: NFSV3 uses the dynamic ports for NLM, MNT, and STATD services. When an NFS server is used with
the firewall, these services must be configured with static ports.
The following recommendations are applicable:
- Review your systems /etc/services file in order to select the static ports
to use for MNT, NLM, STATD, and RQUOTA services that are required by the NFSV4 server. Do not use a
port that is already used by another application. Set the static ports by using the mmnfs
config change command. Allow TCP and UDP port 2049 to use the protocol node IPs. For
example:
mmnfs config change MNT_PORT=32767:NLM_PORT=32769:RQUOTA_PORT=32768:STATD_PORT=32765 - Allow all external communications on TCP and UDP port 111 by using the protocol node IPs.
- Allow all external communications on the TCP and UDP port that is specified with mmnfs config change for MNT and NLM ports.
- Ensure that following steps are done after making any of these changes.
- Restart NFS after changing these parameters by using the following
commands.
mmces service stop NFS -a mmces service start NFS -a - Use rpcinfo -p to query the protocol nodes after any port changes to verify that proper ports are in use.
- Remount any existing clients because a port change might have disrupted connections.
- Restart NFS after changing these parameters by using the following
commands.
Recommendations for SMB access
Samba uses the following ports for the secure access.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 445 | TCP | Samba | SMB clients and IBM Storage Scale protocol node |
| 4379 | TCP | CTDB | Inter-protocol node |
ø
The following recommendations are applicable for the SMB access:
- Allow the access request that is coming from the data network and admin and management network on port 445 using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow connection only to the requests that are coming from the IBM Storage Scale cluster node IPs (internal IPs and protocol node IPs) on port 4379. Block all other external connections on this port. Use the mmlscluster command to get the list of cluster node IPs.
Recommendations for the S3 access
Ports for the S3 access are listed in the following table:
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 6443 (default ENDPOINT_SSL_PORT) | TCP | noobaa | S3 client and IBM Storage Scale protocol node |
| 6001 (default ENDPOINT_PORT) | TCP | noobaa | S3 client and IBM Storage Scale protocol node |
The following recommendations are applicable for the S3 access:
- Allow the secure access request that is coming from the S3 client and the protocol node on port 6443 for all HTTPS requests that are using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow the access request that is coming from the S3 client and the protocol node on port 6001 for all HTTP requests that are using the protocol node CES IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
If you want to change the default ports, complete the following steps. Ensure that the new ports,
which you chose, are not Active in the /etc/services on
protocol nodes.
- List the current configuration.
mms3 config list - Change the default port for HTTPS, that is,
ENDPOINT_SSL_PORT.mms3 config change ENDPOINT_SSL_PORT=<port-number> - Change the default port for HTTP, that is,
ENDPOINT_PORT.mms3 config change ENDPOINT_PORT=<port-number>Note: TheALLOW_HTTP=trueconfiguration parameter must be set to true along with HTTP port change for I/O requests to take affect from S3 users. - Check whether the ports are
changed.
netstat -an |grep <port-number> - Ensure that sysadmin communicate to all S3 user accounts on the changed port change, so that user accounts can send I/O requests appropriately.
Object port configuration
Note: IBM Storage Scale is configured
with the ports listed here. Changing ports requires updating configuration
files, Keystone endpoint definitions, and SELinux rules. This must
be done only after careful planning.
The following table
lists the ports configured for object access.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 8080 | TCP | Object Storage Proxy | Object clients and IBM Storage Scale protocol node |
| 6200 | TCP | Object Storage (local account server) | Local host |
| 6201 | TCP | Object Storage (local container server) | Local host |
| 6202 | TCP | Object Storage (local object server) | Local host |
| 6203 | TCP | Object Storage (object server for unified file and object access) | Local host |
| 11211 | TCP and UDP | Memcached (local) | Local host |
The following ports are configured for securing object
access:
- Allow all external communications on TCP port 8080 (Object Storage proxy).
- Allow connection only from the IBM Storage Scale cluster node IPs (internal IPs and protocol node IPs) on ports 6200, 6201, 6202, 6203, and 11211. Block all other external connections on this port.
Shell access by non-root users must be restricted on IBM Storage Scale protocol nodes where the object services are running to prevent unauthorized access to object data.
Note: The reason for these restrictions is that
because there is no authentication of requests made on ports 6200,
6201, 6202, and 6203, it is critical to ensure that these
ports are protected from access by unauthorized clients.
Port usage for object authentication
You can configure
either an external or internal Keystone server to manage the authentication
requests. Keystone uses the following ports:
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 5000 | TCP | Keystone Public | Authentication clients and object clients |
| 35357 | TCP | Keystone Internal/Admin | Authentication and object clients and Keystone administrator |
These ports are applicable only if keystone is hosted
internally on the IBM Storage Scale system.
The following port usage is applicable:
- Allow all external communication requests that are coming from the admin or management network and IBM Storage Scale internal IPs on port 35357.
- Allow all external communication requests that are coming from clients to IBM Storage Scale for object storage on port 5000. Block all other external connections on this port.
Port usage to connect to the Postgres database for object protocol
The Postgres database server for object protocol is configured to use the following port:
It is recommended to allow connection only from Cluster node IPs (Internal IPs and Protocol
node IPs) on port 5431. Block all other communication requests on this port.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 5431 | TCP and UDP | postgresql-obj | Inter-protocol nodes |
Note: The Postgres instance used by the object protocol uses port 5431. This is different from the
default port to avoid conflict with other Postgres instances that might be on the system including
the instance for IBM Storage
Scale GUI.
Consolidated list of recommended ports that are used for installation, internal communication, and protocol access
The
following table provides a consolidated list of recommended ports
and firewall rules.
| Function | Dependent network service names | External ports that are used for file and object access | Internal ports that are used for inter-cluster communication | UDP / TCP | Nodes for which the rules are applicable |
|---|---|---|---|---|---|
| Installer | Ansible® | N/A | 10080 (repo) |
TCP | GPFS server, NSD server, protocol nodes |
| GPFS (internal communication) | GPFS | N/A | 1191 (GPFS) 60000-61000 for tscCmdPortRange 22 for SSH |
TCP and UDP TCP only for 22 |
GPFS server, NSD server, protocol nodes |
| SMB | gpfs-smb.service gpfs-ctdb.service rpc.statd |
445 | 4379 (CTDB) | TCP | Protocol nodes only |
| NFS | gpfs.ganesha.nfsd rpcbind rpc.statd |
2049 (NFS_PORT - required only by NFSV3) 111 (RPC - required only by NFSV3) 32765 (STATD_PORT) 32767 (MNT_PORT - required only by NFSV3) 32768 (RQUOTA_PORT - required by both NFSV3 and NFSV4) 32769 (NLM_PORT - required only by NFSV3) Note: Make the dynamic ports static with command mmnfs config change.
|
N/A | TCP and UDP | Protocol nodes only |
| S3 | noobaa.service 6443 (default SSL_PORT) | 6001 (default HTTP PORT) | N/A | TCP | Protocol nodes only |
| Object | swift-proxy-server keystone-all postgresql-obj |
8080 (proxy server) 35357 (keystone) 5000 (keystone public) |
5431 (Object Postgres instance) 6200-6203 (Object Storage) 11211 (Memcached) |
TCP TCP and UDP (for 11211 only) |
Protocol nodes only |