The LifeKeeper DataKeeper Recovery Kit can work with a firewall in place on the same server if you address the following network access requirements.
When using the DataKeeper Recovery Kit, the firewall should be configured to allow access to any of the ports used by nbd for replication. The ports used by nbd can be calculated using the following formula:
10001 + <nbd number> + <256 * i>
where i starts at zero and is incremented until the formula calculates a port number that is not in use. In use constitutes any port found defined in /etc/services, found in the output of netstat -an --inet --inet6, or already defined as in use by another DataKeeper resource.
Example: If the nbd number for the DataKeeper resource is 0, then the formula would initially calculate the port to use as 10001, but that number is defined in /etc/services on some Linux distributions as the SCP Configuration port. In this case, i is incremented by 1 resulting in Port Number 10257, which is not in /etc/services on these Linux distributions.
Firewall Settings for ICMP
DataKeeper uses ICMP (Internet Control Message Protocol) Echo Request/Reply to verify the “aliveness” of the target. The firewall on each server should be configured to allow the following types of network activity.
| Outgoing ICMP Echo Request | All local nodes IP addresses including Virtual IP addresses | All remote nodes IP addresses used for replication |
| Incoming ICMP Echo Request | All remote nodes IP addresses including Virtual IP addresses | Local nodes IP address used for replication |
| Outgoing ICMP Echo Reply | Local nodes IP address used for replication | All remote nodes IP addresses including Virtual IP addresses |
| Incoming ICMP Echo Reply | All remote nodes IP addresses used for replication | All local nodes IP addresses including Virtual IP addresses |
Post your comment on this topic.