The method used for IP filtering for the CXFS private network varies by OS platform:
IRIX can use ipfilter or ipfilterd
Linux uses SuSEfirewall2 or iptables (see “Configuring SuSEfirewall2” in Chapter 6)
Note: The SuSEfirewall2 utility silently makes changes to the /proc/sys/net system tunable parameters.
If you use I/O fencing, the configuration must allow communication between the node and the telnet port on the switch. For details about port use, see “CXFS Port Usage” in Chapter 12.
For more information about these utilities, see their documentation.
Following is an example /etc/ipfilterd.conf file for configuring CXFS. Note the following:
There must be an /etc/ipfilterd.conf file configured on each node on which you want to filter IP traffic. The files will be similar except for the first set of lines, which are node-dependent; that is, the lines in the file for NodeA must match the networking interfaces on which the network traffic may pass for NodeA.
The systune variable ipfilterd_inactive_behavior must be set to 0, which means that the filter will be disabled as soon as ipfilterd is terminated using the killall command.
The ipfilterd argument to chkconfig must be turned on for each node where ipfilterd will run. For example:
NodeA# chkconfig ipfilterd on
If any network interface name is changed on a system, you must update the /etc/ipfilterd.conf file to include the change in the appropriate accept line. That is:
accept -i changed_or_new_interface
For debugging purposes, each dropped packet will log a message similar to the following in the syslog file:
May 24 16:44:44 5A:rodin unix: NOTICE: ipfilter(cache) - packet dropped: 10.1.1.5 SPT=137 DPT=137 UDP
If you want to disable the filtering, such as in the case where it is blocking wanted traffic, do the following:
Kill the ipfilterd daemon:
NodeA# killall ipfilterd
Turn off the ipfilterflag argument:
NodeA# chkconfig ipfilterd off
Following is a sample file for NodeA:
NodeA# cat ipfilterd.conf # # ipfilterd.conf for NodeA # # # Filters follow: # # Do not restrict traffic on any of the interfaces for NodeA, # except from ef1 (CXFS private network) # accept -i lo0 accept -i ef0 accept -i eg0 accept -i eg1 accept -i lb0 # # Restrict access over the CXFS private network # Interface ef1 # # Accept any fragment, reassembly won't work if first fragment filtered out. accept -i ef1 ip.off>0 # CXFS is using RPC, need portmapper. accept -i ef1 udp.port 111 accept -i ef1 tcp.port 111 # fs2d daemon is dynamically assigning ports in range 600-1023. # We need port definition (sport + dport for both directions). accept -i ef1 tcp.sport>=600 and tcp.sport<=1023 accept -i ef1 tcp.dport>=600 and tcp.dport<=1023 # sgi-cad defaults to 9000/tcp accept -i ef1 tcp.port 9000 # sgi-crsd # Each node opens 7500/udp, both directions needed accept -i ef1 udp.port 7500 # Uncomment the line below for CXFS client-only node. # accept -i ef1 udp.port 5449 # CXFS kernel ports 5450-5453 # Connections in both directions so open dport and sport. accept -i ef1 tcp.port 5450 accept -i ef1 tcp.port 5451 accept -i ef1 udp.port 5452 accept -i ef1 udp.port 5453 # fs2d client are using ports in range 7000-8500 accept -i ef1 tcp.dport>7000 accept -i ef1 udp.dport>7000 # Uncomment the line below for IO fencing only if switches are on CXFS private network # (ip.src is the switch address) # accept -i ef1 tcp.sport=23 and ip.src=10.1.1.6 # Let icmp traffic pass, especially 'PORT UNREACHABLE ICMP packet' accept -i ef1 icmp # Reject the rest (-l will log any rejected packet to the SYSLOG) reject -i ef1 -l |