Firewall recommendations for protocol access
It is recommended to use certain port numbers to secure the protocol data transfer.
Recommendations for NFS access
The following table provides the list of static ports that are used for NFS data I/O.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 2049 | TCP and UDP | NFSV4 or NFSV3 | NFS clients and IBM Spectrum Scale™ protocol node |
| 111 | TCP and UDP | RPC (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
| User-defined static port | TCP and UDP | STATD (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
| User-defined static port | TCP and UDP | MNT (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
| User-defined static port | TCP and UDP | NLM (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
| User-defined static port | TCP and UDP |
RQUOTA (required by both NFSV3 and NFSV4) |
NFS clients and IBM Spectrum Scale protocol node |
Note: NFSV3 uses the dynamic ports for NLM, MNT, and STATD services. When an NFSV4 server is
used with the firewall, these services must be configured with static ports.
The following recommendations are applicable:
- Review your systems/etc/services file in order to select the static ports
to use for MNT, NLM, STATD, and RQUOTA services that are required by the NFSV4 server. Do not use a
port that is already used by another application. Set the static ports by using the mmnfs config change command. Allow TCP and UDP port 2049
to use the protocol node IPs. For example:
mmnfs config change MNT_PORT=32767:NLM_PORT=32769:RQUOTA_PORT=32768:STATD_PORT=32765 - Allow all external communications on TCP and UDP port 111 by using the protocol node IPs.
- Allow all external communications on the TCP and UDP port that is specified with mmnfs config change for MNT and NLM ports.
- Ensure that following steps are done after making any of these changes.
- Restart NFS after changing these parameters by using the following
commands.
mmces service stop NFS -a mmces service start NFS -a - Use rpcinfo -p to query the protocol nodes after any port changes to verify that proper ports are in use.
- Remount any existing clients because a port change might have disrupted connections.
- Restart NFS after changing these parameters by using the following
commands.
Recommendations for SMB access
Samba uses
the following ports for the secure access.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 445 | TCP | Samba | SMB clients and IBM Spectrum Scale protocol node |
| 4379 | TCP | CTDB | Inter-protocol node |
The following recommendations are applicable for the
SMB access:
- Allow the access request that is coming from the data network and admin and management network on port 445 using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow connection only to the requests that are coming from the IBM Spectrum Scale cluster node IPs (internal IPs and protocol node IPs) on port 4379. Block all other external connections on this port. Use the mmlscluster command to get the list of cluster node IPs.
Port usage for BLOCK service
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 3260 | TCP | BLOCK (iSCSI) | IBM Spectrum Scale protocol node (when the BLOCK service is enabled) listening on this port |
Object port configuration
Note: IBM Spectrum
Scale is configured
with the ports listed here. Changing ports requires updating configuration
files, Keystone endpoint definitions, and SELinux rules. This must
be done only after careful planning.
The following table
lists the ports configured for object access.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 8080 | TCP | Object Storage Proxy | Object clients and IBM Spectrum Scale protocol node |
| 6200 | TCP | Object Storage (local account server) | Local host |
| 6201 | TCP | Object Storage (local container server) | Local host |
| 6202 | TCP | Object Storage (local object server) | Local host |
| 6203 | TCP | Object Storage (object server for unified file and object access) | Local host |
| 11211 | TCP and UDP | Memcached (local) | Local host |
The following ports are configured for securing object
access:
- Allow all external communications on TCP port 8080 (Object Storage proxy).
- Allow connection only from the IBM Spectrum Scale cluster node IPs (internal IPs and protocol node IPs) on ports 6200, 6201, 6202, 6203, and 11211. Block all other external connections on this port.
Shell access by non-root users must be restricted on IBM Spectrum Scale protocol nodes where the object services are running to prevent unauthorized access to object data.
Note: The reason for these restrictions is that
because there is no authentication of requests made on ports 6200,
6201, 6202, and 6203, it is critical to ensure that these
ports are protected from access by unauthorized clients.
Port usage for object authentication
You can configure
either an external or internal Keystone server to manage the authentication
requests. Keystone uses the following ports:
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 5000 | TCP | Keystone Public | Authentication clients and object clients |
| 35357 | TCP | Keystone Internal/Admin | Authentication and object clients and Keystone administrator |
These ports are applicable only if keystone is hosted
internally on the IBM Spectrum
Scale system.
The following port usage is applicable:
- Allow all external communication requests that are coming from the admin or management network and IBM Spectrum Scale internal IPs on port 35357.
- Allow all external communication requests that are coming from clients to IBM Spectrum Scale for object storage on port 5000. Block all other external connections on this port.
Port usage to connect to the Postgres database for object protocol
The Postgres database server for object protocol is configured to use the following port:
It is recommended to allow connection only from Cluster node IPs (Internal IPs and Protocol
node IPs) on port 5431. Block all other communication requests on this port.
| Port Number | Protocol | Service Name | Components that are involved in communication |
|---|---|---|---|
| 5431 | TCP and UDP | postgresql-obj | Inter-protocol nodes |
Note: The
Postgres instance used by the object protocol uses port 5431. This
is different from the default port to avoid conflict with other Postgres
instances that might be on the system including the instance for IBM Spectrum Scale GUI.
Consolidated list of recommended ports that are used for installation, internal communication, and protocol access
The
following table provides a consolidated list of recommended ports
and firewall rules.
| Function | Dependent network service names | External ports that are used for file and object access | Internal ports that are used for inter-cluster communication | UDP / TCP | Nodes for which the rules are applicable |
|---|---|---|---|---|---|
| Installer | Chef | N/A | 8889 (chef) 10080 (repo) |
TCP | GPFS™ server, NSD server, protocol nodes |
| GPFS (internal communication) | GPFS | N/A | 1191 (GPFS) 60000-61000 for tscCmdPortRange 22 for SSH |
TCP and UDP TCP only for 22 |
GPFS server, NSD server, protocol nodes |
| SMB | gpfs-smb.service gpfs-ctdb.service rpc.statd |
445 | 4379 (CTDB) | TCP | Protocol nodes only |
| NFS | ganesha.nfsd rpcbind rpc.statd |
2049 (NFS_PORT - required only by NFSV3) 111 (RPC - required only by NFSV3) 32765 (STATD_PORT) 32767 (MNT_PORT - required only by NFSV3) 32768 (RQUOTA_PORT - required by both NFSV3 and NFSV4) 32769 (NLM_PORT - required only by NFSV3) Note: Make the dynamic ports static with command mmnfs
config change .
|
N/A | TCP and UDP | Protocol nodes only |
| Object | swift-proxy-server keystone-all postgresql-obj |
8080 (proxy server) 35357 (keystone) 5000 (keystone public) |
5431 (Object Postgres instance) 6200-6203 (Object Storage) 11211 (Memcached) |
TCP TCP and UDP (for 11211 only) |
Protocol nodes only |