On Tue, May 29, 2018 at 9:13 AM Philip Lowman <plow...@workforcesoftware.com> wrote:
> Patrick, > > Thanks for clarifying. Turns out I did the config right from the get-go, > just got momentarily confused by all of the port numbers. :) > > No problem. Thanks for passing on the firewall details and sharing with the others. Regards, Patrick > === > > For anyone who’s running CentOS/RHEL boxes, here’s what we used for a > 3-node ZooKeeper cluster with static IPs, to limit access to the election & > quorum ports only to the cluster members (if using 2888 & 3888) . > > # Open the firewall for Zookeeper > sudo firewall-cmd --zone=public --add-port=2181/tcp --permanent > > # Open up the ZooKeeper cluster & election ports to each other > IP1=`dig +short $ZOOKEEPER_SERVER1` > IP2=`dig +short $ZOOKEEPER_SERVER2` > IP3=`dig +short $ZOOKEEPER_SERVER3` > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP1/32\" > port protocol=\"tcp\" port=\"2888\" accept" > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP1/32\" > port protocol=\"tcp\" port=\"3888\" accept" > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP2/32\" > port protocol=\"tcp\" port=\"2888\" accept" > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP2/32\" > port protocol=\"tcp\" port=\"3888\" accept" > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP3/32\" > port protocol=\"tcp\" port=\"2888\" accept" > sudo firewall-cmd --permanent --zone=public --add-rich-rule=" > rule family=\"ipv4\" > source address=\"$IP3/32\" > port protocol=\"tcp\" port=\"3888\" accept" > > # Restart the firewall so the changes take effect > sudo firewall-cmd --reload > > > > > > > * Philip Lowman Sr. Software Security Engineer WorkForce Software | > 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 | > E: plow...@workforcesoftware.com <plow...@workforcesoftware.com> * > > On May 26, 2018, at 2:45 PM, Patrick Hunt <ph...@apache.org> wrote: > > > > On Fri, May 25, 2018 at 8:38 AM Philip Lowman < > plow...@workforcesoftware.com> wrote: > >> Hello, >> >> In regards to the CVE-2018-8012 >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.apache.org%2Fthread.html%2Fc75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%253Cdev.zookeeper.apache.org%253E&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472840072&sdata=%2Fu02%2FxaVgav%2FkTV%2FIimBspc6vQkTiOjNAwmPJCrtq%2FM%3D&reserved=0> >> advisory >> posted on Monday, it contains the following statement “Alternatively ensure >> the ensemble election/quorum communication is protected by a firewall as >> this will mitigate the issue”. >> >> I just wanted to ask (or hopefully just confirm), does this communication >> *exclusively* travel over the “leader election port”? >> >> In example configuration files the leader election port (see server.x in >> the docs >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fzookeeper.apache.org%2Fdoc%2Fcurrent%2FzookeeperAdmin.html%23sc_configuration&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472996325&sdata=3EqVaR3%2FFh%2B4SNOWH9l3xHlH9KZLU6Th3fpcTztMNVs%3D&reserved=0>) >> is >> typically defined to be port 3888. >> >> server.1=zoo1:2888:3888 >> server.2=zoo2:2888:3888 >> server.3=zoo3:2888:3888 >> >> Hi Philip, > > The firewall would need to protect both the election and quorum ports - > those are the two numbers at the end of the server.# configuration > parameters. See > > http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_clusterOptions > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fzookeeper.apache.org%2Fdoc%2Fcurrent%2FzookeeperAdmin.html%23sc_clusterOptions&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472996325&sdata=nKQJ1pUhOorUkz5d7wbo1afLv8ipHG7MEyl%2B02nWC7E%3D&reserved=0> > for more details on that config option. > > Patrick > > > >> Thanks >> >> >> >> >> >> >> * Philip Lowman Sr. Software Security Engineer WorkForce Software | >> 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 | >> E: plow...@workforcesoftware.com <plow...@workforcesoftware.com> * >> >> >> >> >> This message is intended exclusively for the individual or entity to >> which it is addressed. This communication may contain information that is >> proprietary, privileged, confidential or otherwise legally exempt from >> disclosure. If you are not the named addressee, or have been inadvertently >> and erroneously referenced in the address line, you are not authorized to >> read, print, retain, copy or disseminate this message or any part of it. If >> you have received this message in error, please notify the sender >> immediately by e-mail and delete all copies of the message. (ID m031214) >> > >
