You are here: User Guide > Using LifeKeeper Linux > Maintenance Tasks > Running LifeKeeper With a Firewall

Running LifeKeeper With a Firewall

LifeKeeper for Linux can work with a firewall in place on the same server if you address the following network access requirements.

Note: If you wish to simply disable your firewall, see Disabling a Firewall below.

LifeKeeper Communication Paths

Communication paths are established between pairs of servers within the LifeKeeper cluster using specific IP addresses.  Although TCP Port 7365 is used by default on the remote side of each connection as it is being created, the TCP port on the initiating side of the connection is arbitrary.  The recommended approach is to configure the firewall on each LifeKeeper server to allow both incoming and outgoing traffic for each specific pair of local and remote IP addresses in the communication paths known to that system.

LifeKeeper GUI Connections

The LifeKeeper GUI uses a number of specific TCP ports, including Ports 81 and 82 as the default initial connection ports.  The GUI also uses Remote Method Invocation (RMI), which uses Ports 1024 and above to send and receive objects.  All of these ports must be open in the firewall on each LifeKeeper server to at least those external systems on which the GUI client will be run.

LifeKeeper IP Address Resources

The firewall should be configured to allow access to any IP address resources in your LifeKeeper hierarchies from those client systems that need to access the application associated with the IP address.  Remember that the IP address resource can move from one server to another in the LifeKeeper cluster; therefore, the firewalls on all of the LifeKeeper servers must be configured properly.

LifeKeeper also uses a broadcast ping test to periodically check the health of an IP address resource.  This test involves sending a broadcast ping packet from the virtual IP address and waiting for the first response from any other system on the local subnet.  To prevent this test from failing, the firewall on each LifeKeeper server should be configured to allow the following types of network activity.

LifeKeeper Data Replication

When using LifeKeeper Data Replication, the firewall should be configured to allow access to any of the ports used by nbd for replication.  The ports used by nbd can be calculated using the following formula:

10001 + <mirror number> + <256 * i>

where i starts at zero and is incremented until the formula calculates a port number that is not in use.  In use constitutes any port found defined in /etc/services, found in the output of netstat -an --inet, or already defined as in use by another LifeKeeper Data Replication resource.

For example: If the mirror number for the LifeKeeper Data Replication resource is 0, then the formula would initially calculate the port to use as 10001, but that number is defined in /etc/services on some Linux distributions as the SCP Configuration port.  In this case, i is incremented by 1 resulting in Port Number 10257, which is not in /etc/services on these Linux distributions.

Disabling a Firewall

If you wish to disable your firewall, then do the following:

  1. Stop the firewall using one of the following commands, depending upon your firewall package:

/etc/init.d/ipchains stop or

/etc/init.d/iptables stop

If operating in an IPv6 environment, be sure to account for ip6tables

/etc/init.d/ip6tables stop

If running SuSE Linux Enterprise Server

/etc/init.d/SuSEfirewall2_init stop

/etc/init.d/SuSEfirewall2_setup stop

  1. Either remove the package (using rpm -e) or disable its startup using one of the following commands, depending upon your firewall package:

/sbin/chkconfig --del ipchains or

/sbin/chkconfig --del iptables

/sbin/chkconfig --del ip6tables

If running SuSE Linux Enterprise Server, you must manage SuSEfirewall2 configuration settings.

© 2012 SIOS Technology Corp., the industry's leading provider of business continuity solutions, data replication for continuous data protection.