Open topic with navigation
LifeKeeper for Linux can work with a firewall in place on the same server if you address the following network access requirements.
Note: If you wish to simply disable your firewall, see Disabling a Firewall below.
Communication paths are established between pairs of servers within the LifeKeeper cluster using specific IP addresses. Although TCP Port 7365 is used by default on the remote side of each connection as it is being created, the TCP port on the initiating side of the connection is arbitrary. The recommended approach is to configure the firewall on each LifeKeeper server to allow both incoming and outgoing traffic for each specific pair of local and remote IP addresses in the communication paths known to that system.
The LifeKeeper GUI uses a number of specific TCP ports, including Ports 81 and 82 as the default initial connection ports. The GUI also uses Remote Method Invocation (RMI), which uses Ports 1024 and above to send and receive objects. All of these ports must be open in the firewall on each LifeKeeper server to at least those external systems on which the GUI client will be run.
The firewall should be configured to allow access to any IP address resources in your LifeKeeper hierarchies from those client systems that need to access the application associated with the IP address. Remember that the IP address resource can move from one server to another in the LifeKeeper cluster; therefore, the firewalls on all of the LifeKeeper servers must be configured properly.
LifeKeeper also uses a broadcast ping test to periodically check the health of an IP address resource. This test involves sending a broadcast ping packet from the virtual IP address and waiting for the first response from any other system on the local subnet. To prevent this test from failing, the firewall on each LifeKeeper server should be configured to allow the following types of network activity.
Outgoing Internet Control Message Protocol (ICMP) packets from the virtual IP address (so that the active LifeKeeper server can send broadcast pings)
Incoming ICMP packets from the virtual IP address (so that other LifeKeeper servers can receive broadcast pings)
Outgoing ICMP reply packets from any local address (so that other LifeKeeper servers can respond to broadcast pings)
Incoming ICMP reply packets to the virtual IP address (so that the active LifeKeeper server can receive broadcast ping replies)
When using LifeKeeper Data Replication, the firewall should be configured to allow access to any of the ports used by nbd for replication. The ports used by nbd can be calculated using the following formula:
10001 + <mirror number> + <256 * i>
where i starts at zero and is incremented until the formula calculates a port number that is not in use. In use constitutes any port found defined in /etc/services, found in the output of netstat -an --inet, or already defined as in use by another LifeKeeper Data Replication resource.
For example: If the mirror number for the LifeKeeper Data Replication resource is 0, then the formula would initially calculate the port to use as 10001, but that number is defined in /etc/services on some Linux distributions as the SCP Configuration port. In this case, i is incremented by 1 resulting in Port Number 10257, which is not in /etc/services on these Linux distributions.
If you wish to disable your firewall, then do the following:
Stop the firewall using one of the following commands, depending upon your firewall package:
/etc/init.d/ipchains stop or
If operating in an IPv6 environment, be sure to account for
If running SuSE Linux Enterprise Server
Either remove the package (using rpm -e) or disable its startup using one of the following commands, depending upon your firewall package:
/sbin/chkconfig --del ipchains or
/sbin/chkconfig --del iptables
/sbin/chkconfig --del ip6tables
If running SuSE Linux Enterprise Server, you must manage
SuSEfirewall2 configuration settings
© 2012 SIOS Technology Corp., the industry's leading provider of business continuity solutions, data replication for continuous data protection.
Open topic with navigation