On 24.07.2013 13:11, Nux! wrote:
On 24.07.2013 08:50, Nux! wrote:
Hi,
Can someone help with this? I need to setup a firewall around a
gluster (3.4) setup and I wouldn't like my clients to become peers.
:)
So the ports I'd need to watch for would be:
management traffic (aka `gluster peer` operations etc) - 24007/tcp,
24008/tcp, 24009+/tcp (for the bricks)
client traffic (so clients can mount & use the volume, but not become
peers) - ???
nfs traffic - 111/udp, 111/tcp & 38465-38468/tcp
Just noticed 24009 needs to be open for the NFS to work (doh!).
I'm still waiting for clarifications on which ports I need to open in
order to allow client mounts, but not "peer" requests.
Thanks to JoeJulian on IRC for explaining to me, turns out there's no
separation that would allow port based restriction.
So, in theory if a client can connect and mount a volume it can also
issue "peer" commands, however - luckily - once a glusterfs deployment
is setup an external node is not authorised to become a peer. For "peer
probe" to work it needs to be initialised by an existing node.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
_______________________________________________
Gluster-users mailing list
[email protected]
http://supercolony.gluster.org/mailman/listinfo/gluster-users
