LifeKeeper for Linux can work with a firewall in place on the same server if you address the following network access requirements.
LifeKeeper Communication Paths
Communication paths are established between pairs of servers within the LifeKeeper cluster using specific IP addresses. Although TCP Port 7365 is used by default on the remote side of each connection as it is being created, the TCP port on the initiating side of the connection is arbitrary. The recommended approach is to configure the firewall on each LifeKeeper server to allow both incoming and outgoing traffic for each specific pair of local and remote IP addresses in the communication paths known to that system.
LifeKeeper GUI Connections
The LifeKeeper GUI uses a number of specific TCP ports, including Ports 81 and 82 as the default initial connection ports. The GUI also uses Remote Method Invocation (RMI), which uses Ports 1024 and above to send and receive objects. All of these ports must be open in the firewall on each LifeKeeper server to at least those external systems on which the GUI client will be run.
LifeKeeper IP Address Resources
The firewall should be configured to allow access to any IP address resources in your LifeKeeper hierarchies from those client systems that need to access the application associated with the IP address. Remember that the IP address resource can move from one server to another in the LifeKeeper cluster; therefore, the firewalls on all of the LifeKeeper servers must be configured properly.
LifeKeeper also uses a broadcast ping test to periodically check the health of an IP address resource. This test involves sending a broadcast ping packet from the virtual IP address and waiting for the first response from any other system on the local subnet. To prevent this test from failing, the firewall on each LifeKeeper server should be configured to allow the following types of network activity.
- Outgoing Internet Control Message Protocol (ICMP) packets from the virtual IP address (so that the active LifeKeeper server can send broadcast pings)
- Incoming ICMP packets from the virtual IP address (so that other LifeKeeper servers can receive broadcast pings)
- Outgoing ICMP reply packets from any local address (so that other LifeKeeper servers can respond to broadcast pings)
- Incoming ICMP reply packets to the virtual IP address (so that the active LifeKeeper server can receive broadcast ping replies)
LifeKeeper Data Replication
When using LifeKeeper Data Replication, the firewall should be configured to allow access to any of the ports used by nbd for replication. The ports used by nbd can be calculated using the following formula:
10001 + <mirror number> + <256 * i>
where i starts at zero and is incremented until the formula calculates a port number that is not in use. In use constitutes any port found defined in /etc/services, found in the output of netstat -an --inet --inet6
, or already defined as in use by another LifeKeeper Data Replication resource.
For example: If the mirror number for the LifeKeeper Data Replication resource is 0, then the formula would initially calculate the port to use as 10001, but that number is defined in /etc/services on some Linux distributions as the SCP Configuration port. In this case, i is incremented by 1 resulting in Port Number 10257, which is not in /etc/services on these Linux distributions.
Other Inter-node Communications
Each LifeKeeper server communicates using SSL connection on port 778. You can change this port using the configuration variable API_SSL_PORT in /etc/default/LifeKeeper.
Post your comment on this topic.