Question & Answer
Question
Answer
Purpose of this techdoc :
In certain infrastructure it is required to have all system protected by a firewall. The « viosecure » utility provides an easy to use interface to help managing the embedded VIOS firewall.
Within an SSP environment the network communication is one of the key feature, that needs to be setup very carefully. Any changes performed on network might cause disruption with regards to the cluster services.
In this techdoc we will document the method to enable firewall and configure appropriate rules to have the SSP cluster working.
If you are planning to also use those VIOS as MSP partition for LPM operation, you should consider refering to the technote "How to setup firewall on VIOS for LPM operation" as well.
Pre-requisites :
In this document we assume the SSP cluster is currently up and running fine. All nodes should report with state « OK » and pool state « OK ». (Use the “cluster -status” command to check cluster and node state)
Configuring the firewall :
Which ports will we need to open ?
The SSP cluster is based on various components and each one has its own set of ports to open.
For CAA :
-
caa_cfg : 6181/tcp (as defined in “/etc/services”)
-
clcomd_caa : 16191/tcp (as defined in “/etc/services”)
-
CAA unicast heartbeat : 42112 (not defined in “/etc/services)
For RMC/RSCT : 657/tcp (as defined in “/etc/services”)
For Poolfs : 3192/tcp (defined as firemonrcc in “/etc/services)
Note : The SSP DB changed over time, for all SSP cluster before VIOS 2.2.6.31 the database was SolidDB, but later version have been migrated to PostgreSQL.
So if all your node in the cluster are reporting as ON_LEVEL with version older than 2.2.6.31, then the DB should be SolidDB.
If all your node are ON_LEVEL with version 2.2.6.31 or higher, then it should be a PostgreSQL DB.
You can check this with the “ps” command :
For SolidDB, you’ll see “soliddb” process from root user.
For PostgreSQL, you’ll see multiple “postgres” process from vpgadmin user.
Here are the port number for each DB :
For SolidDB : 3801/tcp (marked as unassigned in “/etc/services”)
For PostgreSQL : 6080/tcp & 6090/tcp (not in “/etc/services”)
Configuring the VIOS firewall.
Note : To make sure we won't suffer any disconnection during firewall setup, we recommend to log in directly on console. (Nevertheless, this procedure can also be done through ssh which remains opened with firewall enabled.)
If your VIOS is at 3.1.4.10, you can jump directly to chapter "Quick firewall setup for VIOS 3.1.4.10".
Note : If your firewall is already configured with some rules, you should not run the “-reload”
option. The “-reload” option will restore the default VIOS firewall settings and override
your rules.
1 - Stop the cluster on the node you want to enable firewall :
$ clstartstop -stop -m <local node>
2 - Enable the VIOS firewall default rules as a starting point (it also
includes the RMC port) :
$ viosecure -firewall on -reload
3 - Add CAA related port to the allowed list :
$ viosecure -firewall allow -port 6181
$ viosecure -firewall allow -port 6181 -remote
$ viosecure -firewall allow -port 16191
$ viosecure -firewall allow -port 16191 -remote
$ viosecure -firewall allow -port 42112
$ viosecure -firewall allow -port 42112 -remote
4 - Add the poolfs port to the allowed list :
$ viosecure -firewall allow -port 3192
$ viosecure -firewall allow -port 3192 -remote
5 - Add the SSP DB port in the allowed list :
a. If the SSP DB is SolidDB :
$ viosecure -firewall allow -port 3801
$ viosecure -firewall allow -port 3801 -remote
--- OR ---
b. If the SSP DB is PostgreSQL :
$ viosecure -firewall allow -port 6080
$ viosecure -firewall allow -port 6080 -remote
$ viosecure -firewall allow -port 6090
$ viosecure -firewall allow -port 6090 -remote
6 - Use oem_setup_env to allow the ICMP request and reply rules :
$ oem_setup_env
# /usr/sbin/genfilt -v 4 -n 16 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g n -c icmp -o eq -p 0 -O any -P 0 -r L -w I -l N -t 0 -i all -D echo_reply
# /usr/sbin/genfilt -v 4 -n 16 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g n -c icmp -o eq -p 8 -O any -P 0 -r L -w I -l N -t 0 -i all -D echo_request
# exit
7 - Stop and start the firewall to enable the ICMP rules :
$ viosecure -firewall off
$ viosecure -firewall on
8 – Check the firewall settings are correct :
$ viosecure -firewall view
→ You must have the following listed :
IPv4 Firewall ON
ALLOWED PORTS
Local Remote
Interface Port Port Service IPAddress Expiration Time(seconds)
--------- ---- ---- ------- --------- ---------------
all any 3801 solid 0.0.0.0 0
all 3801 any solid 0.0.0.0 0
all any 3192 firemonrcc 0.0.0.0 0
all 3192 any firemonrcc 0.0.0.0 0
all any 42112 firemonrcc 0.0.0.0 0
all 42112 any firemonrcc 0.0.0.0 0
all any 16191 clcomd_caa 0.0.0.0 0
all 16191 any clcomd_caa 0.0.0.0 0
all any 6181 caa_cfg 0.0.0.0 0
all 6181 any caa_cfg 0.0.0.0 0
all any 657 rmc 0.0.0.0 0
all 657 any rmc 0.0.0.0 0
If this is a PostgreSQL DB, the “solid” line should be replaced by those one :
ALLOWED PORTS
Local Remote
Interface Port Port Service IPAddress Expiration Time(seconds)
--------- ---- ---- ------- --------- ---------------
all any 6090 0.0.0.0 0
all 6090 any 0.0.0.0 0
all any 6080 0.0.0.0 0
all 6080 any 0.0.0.0 0
9 - Restart cluster on this node.
$ clstartstop -start -m <local node>
Wait few minutes and make sure that SSP is working as expected by checking the status with :
$ cluster -status
All nodes should show a status and pool status “OK”.
If the cluster is back online and in good state, you can perform the same procedure on other node one by one.
Quick firewall setup for VIOS 3.1.4.10
Starting with VIOS 3.1.4.10, a new viosecure command was released that helps setting up the firewall.
Here we use the default config file "/home/ios/security/viosecure.ctl" to add the SSP related port to the open ports list.
# vi /home/ios/security/viosecure.ctl
Remove the "#" at the beginning of the following line :
#16191 Both clcomd_caa
#42112 Both caa_heartbeat
#3192 Both firemonrcc
#6080 Both postgres_db1
#6090 Both postgres_db2
Save the file
$ clstartstop -stop -m <local node>
3. Enable the firewall with "-reload" option (also add the "-icmp" as the SSP cluster will also need ping to work) :
$ viosecure -firewall on -reload -icmp
The reload option enbales all the port as mentionned in the config file which includes the SSP related port.
4. Restart the SSP cluster :
$ clstartstop -start -m <local node>
How can I move back to a SSP cluster with no firewall ?
If you have any problem and node does not come back online after few minutes, or if you just want to move back to a VIOS with no firewall, you can remove the firewall setup as follow :
1 - Stop the cluster on this node :
$ clstartstop -stop -m <local node>
2 - Stop the firewall on this node :
$ viosecure -firewall off
3 - Remove all firewall rules from oem_setup_env :
$ oem_setup_env
# rmfilt -v 4 -n all
4 - Start the cluster again :
$ clstartstop -start -m <local node>
$ cluster -status
Wait for the node to be back in the cluster with OK state, once it is good, you can proceed with the next node.
After few minutes all nodes should be back in ok state, as there’s no more firewall configured.
Was this topic helpful?
Document Information
Modified date:
13 March 2023
UID
isg3T1026388