Firewall configuration
Note
During Node operations all IP addresses from new nodes get added temporarily on the installer node, to a “trusted” IPset to allow the node to be bootstrapped (Puppet -> SALT)
A first SALT run on new nodes will update and apply all Firewalls throughout the Cluster dynamically (SALT mine data)
Check The Firewall
Instructions
- Firewall is enabled by default
- To confirm the firewall is running
1.Now let us check the firewalld process - to make the line wrap we need to use --no-pager --full to the commandhsctl config get firewall.enabled
systemctl status firewalld --no-pager --full
Note
The firewalld service is disabled, so what service is running for the firewall?
Instructions
- HyperStore uses cloudian-firewalld so let us check that this process is running
systemctl status cloudian-firewalld --no-pager --full
Disabling the Firewall
Note
If you need to disable the firewall, it is not sufficient enough to just stop the cloudian-firewalld service.
Salt will re-enable the service
Instructions
- To disable the firewall we must use hsctl
hsctl config set firewall.enabled=False hsctl config apply firewall
- Once complete, check the status of the cloudian-firewalld service
systemctl status cloudian-firewalld --no-pager --full
Enabling the Firewall
Instructions
- To enable the firewall we must also use hsctl
hsctl config set firewall.enabled=True hsctl config apply firewall
- Once complete, check the status of the cloudian-firewalld service
systemctl status cloudian-firewalld --no-pager --full
Firewall changes using cloudianInstall.sh
Instructions
- It is also possible to enable and disable the firewall through the installer menu
- Run cloudianInstall.sh from the cluster staging directory on the puppet master
- Select Advanced Configuration
- Select s to configure firewall
- Select a to enable or disable the cloudian firewall
- Notice, you can also allow/deny specific access to each service
- It is currently not possible to configure custom firewall ports