Firewall configuration
Note
During Node operations all IP addresses from new nodes get added temporarily on the installer node, to a “trusted” IPset to allow the node to be bootstrapped (Puppet -> SALT)
A first SALT run on new nodes will update and apply all Firewalls throughout the Cluster dynamically (SALT mine data)
Check The Firewall
Instructions
- Firewall is enabled by default
- To confirm the firewall is running
1.Now let us check the firewalld processhsctl config get firewall.enabled
systemctl status firewalld
Note
The firewalld service is disabled, so what service is running for the firewall?
Instructions
- HyperStore uses cloudian-firewalld so let us check that this process is running
systemctl status cloudian-firewalld
Disabling the Firewall
Note
If you need to disable the firewall, it is not sufficient enough to just stop the cloudian-firewalld service.
Salt will re-enable the service
Instructions
- To disable the firewall we must use hsctl
hsctl config set firewall.enabled=False hsctl config apply firewall
- Once complete, check the status of the cloudian-firewalld service
systemctl status cloudian-firewalld
Enabling the Firewall
Instructions
- To enable the firewall we must also use hsctl
hsctl config set firewall.enabled=True hsctl config apply firewall
- Once complete, check the status of the cloudian-firewalld service
systemctl status cloudian-firewalld
Firewall changes using cloudianInstall.sh
Instructions
- It is also possible to enable and disable the firewall through the installer menu
- Run cloudianInstall.sh from the cluster staging directory on the puppet master
- Select Advanced Configuration
- Select Enable/Disable from the menu
- Notice, you can also allow/deny specific access to each service
- It is currently not possible to configure custom firewall ports