Firewall recommendations for protocol access
It is recommended to use certain port numbers to secure the protocol data transfer.
Required for NFS access
The following table lists static ports that are used for NFS data I/O.
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 2049 | TCP | NFSv3 or NFSv4 | NFS Ganesha |
| 111 | TCP and UDP | RPC or portmapper (required only by NFSV3 and RQUOTA) | NFS Ganesha |
| dynamic or user-defined static port 32765, 32767-32769 |
TCP and UDP | STATD (required only by NFSV3) | rpc.statd |
| dynamic or user-defined static port | TCP and UDP | mountd (required only by NFSV3) | NFS Ganesha |
| nlockmgr (required only by NFSV3) | NFS Ganesha | ||
|
RQUOTA (required by both NFSV3 and NFSv4) |
NFS Ganesha |
Note:
- Do not use UDP for NFSv4 or NFSv3.
- NFSv3 uses the dynamic ports for NLM, MNT, STATD and RQUOTA services. When an NFS server is used with the firewall, these services must be configured with static ports.
- The communication for the STATD and portmapper services on nodes must happen over daemon network.
The following recommendations are applicable:
- Review your systems /etc/services file to select the static ports to use
for MNT, NLM, STATD, and RQUOTA services that are required by the NFSv4 server. Do not use a port
that is already used by another application. Set the static ports by using the mmnfs config
change command. Allow TCP and UDP port 2049 to use the protocol node IPs. For example:
mmnfs config change MNT_PORT=32767:NLM_PORT=32769:RQUOTA_PORT=32768:STATD_PORT=32765 - Make sure that the following steps are done after you make any of these changes.
- Use rpcinfo -p to query the protocol nodes after any port changes to verify that proper ports are in use.
- Remount any existing clients because a port change might disrupt connections.
Requireds for SMB access
Samba uses the following ports for the secure access.
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 445 | TCP | Samba | SMB clients to the Samba cluster IPs Modern Windows clients only |
| 4379 | TCP | CTDB and Samba | Inter-protocol nodes only |
Note: Allow TCP 439 for communication among all CTDB or Samba nodes. Block external
network on these services.
The following recommendations are applicable for the SMB access:
- Allow the access request that is coming from the data network and admin and management network on port 445 using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow connection only to the requests that are coming from the IBM Storage Scale cluster node IPs (internal IPs and protocol node IPs) on port 4379. Block all other external connections on this port. Use the mmlscluster command to get the list of cluster node IPs.
Recommendations for the S3 access
Ports for the S3 access are listed in the following table:
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 6443 (default ENDPOINT_SSL_PORT) | TCP | NooBaa | S3 client and IBM Storage Scale protocol node |
| 6001 (default ENDPOINT_PORT) | TCP | NooBaa | S3 client and IBM Storage Scale protocol node |
| 7005 | TCP | NooBaa | S3 client and IBM Storage Scale protocol node |
The following recommendations are applicable for the S3 access:
- Allow the secure access request that is coming from the S3 client and the protocol node on port 6443 for all HTTPS requests that are using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow the access request that is coming from the S3 client and the protocol node on port 6001 for all HTTP requests that are using the protocol node CES IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
If you want to change the default ports, complete the following steps. Ensure that the new ports,
which you chose, are not Active in the /etc/services on
protocol nodes.
- List the current configuration.
mms3 config list - Change the default port for HTTPS, that is,
ENDPOINT_SSL_PORT.mms3 config change ENDPOINT_SSL_PORT=<port-number> - Change the default port for HTTP, that is,
ENDPOINT_PORT.mms3 config change ENDPOINT_PORT=<port-number>Note: TheALLOW_HTTP=trueconfiguration parameter must be set to true along with HTTP port change for I/O requests to take effect from S3 users. - Check whether the ports are
changed.
netstat -an |grep <port-number> - Ensure that sysadmin communicate to all S3 user accounts on the changed port change, so that user accounts can send I/O requests appropriately.
Object port configuration
Note: IBM Storage Scale
uses the listed ports in the table.
To
change these ports, update the configuration files, Keystone endpoint definitions, and SELinux
rules. Make these changes only after careful planning.
The following table lists the ports that are configured for object access.
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 8080 | TCP | Object Storage Proxy | Object clients and IBM Storage Scale protocol node |
| 6200 | TCP | Object Storage (local account server) | Local host |
| 6201 | TCP | Object Storage (local container server) | Local host |
| 6202 | TCP | Object Storage (local object server) | Local host |
| 6203 | TCP | Object Storage (object server for unified file and object access) | Local host |
| 11211 | TCP and UDP | Memcached (local) | Local host |
The following ports are configured for securing object
access:
- Allow all external communications on TCP port 8080 (Object Storage proxy).
- Allow connection only from the IBM Storage Scale cluster node IPs (internal IPs and protocol node IPs) on ports 6200, 6201, 6202, 6203, and 11211. Block all other external connections on this port.
Shell access by non-root users must be restricted on IBM Storage Scale protocol nodes where the object services are running to prevent unauthorized access to object data.
Note: These restrictions are required because ports 6200, 6201, 6202, and 6203 do not support
request authentication. Make sure that only authorized clients can access these
ports.
Port usage for object authentication
You can configure
either an external or internal Keystone server to manage the authentication
requests. Keystone uses the following ports:
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 5000 | TCP | Keystone Public | Authentication clients and object clients |
| 35357 | TCP | Keystone Internal or Admin | Authentication and object clients and Keystone administrator |
These ports are applicable only if keystone is hosted
internally on the IBM Storage Scale system.
The following port usage is applicable:
- Allow all external communication requests that are coming from the admin or management network and IBM Storage Scale internal IPs on port 35357.
- Allow all external communication requests that are coming from clients to IBM Storage Scale for object storage on port 5000. Block all other external connections on this port.
Port usage to connect to the Postgres database for object protocol
The PostgreSQL database server for object protocol is configured to use the following port:
It is recommended to allow connection only from Cluster node IPs (Internal IPs and
Protocol node IPs) on port 5431. Block all other communication requests on this port.
| Port number | Protocol | Service name | Components that are involved in communication |
|---|---|---|---|
| 5431 | TCP and UDP | postgresql-obj | Inter-protocol nodes |
Note: The PostgreSQL instance that is used by the object protocol uses port 5431. This port is
different from the default port to avoid conflict with other PostgreSQL instances, which might be on
the system, and the instance for IBM
Storage Scale GUI.
Identity, authentication and directory services
Use the ports that are listed in the following table for identity, authentication and directory services:
| Port number | Protocol | Service name | Notes |
|---|---|---|---|
| 53 | TCP and UDP | DNS | AD relies heavily on DNS (SRV records). |
| 88 | Kerberos | User and machine authentication | |
| 464 | Needed for joins and password updates. | ||
| 389 | LDAP | Directory queries | |
| 2049 | TCP | RPCSEC_GSS | |
| 636 | LDAPS | Secure LDAP 636 or custom user-defined port. |
Consolidated list of recommended ports that are used for installation, internal communication, and protocol access
The
following table provides a consolidated list of recommended ports
and firewall rules.
| Function | Dependent network service names | External ports that are used for file and object access | Internal ports that are used for inter-cluster communication | UDP / TCP | Nodes for which the rules are applicable |
|---|---|---|---|---|---|
| GPFS (internal communication) | GPFS | N/A |
1191 (GPFS) 60000-61000 for tscCmdPortRange and 22 for SSH |
TCP TCP |
GPFS server, NSD server, protocol nodes |
| SMB |
gpfs-smb.service gpfs-ctdb.service rpc.statd |
445 | 4379 (CTDB) | TCP | Protocol nodes only |
| NFS |
gpfs.ganesha.nfsd rpcbind rpc.statd |
2049 (NFS_PORT - required by NFSV3 or NFSv4) | N/A | TCP | Protocol nodes only |
|
111 (RPC - not required only by NFSV3) 32765 (STATD_PORT) 32767 (MNT_PORT - required only by NFSV3) 32768 (RQUOTA_PORT - required by both NFSV3 and NFSv4) 32769 (NLM_PORT - required only by NFSV3) Note: Make the dynamic ports static with command mmnfs config change.
|
N/A | TCP and UDP | Protocol nodes only | ||
| S3 | noobaa.service 6443 (default SSL_PORT) | 6001 (default HTTP PORT) | N/A | TCP | Protocol nodes only |
| Windows 12 and higher | Dynamic RPC | 49152–65535 | N/A | TCP | Management |
| NTP | NTP | 123 | N/A | UDP | Kerberos |