This appendix contains an example /etc/ipfilterd.conf file that can be used to provide IP filtering for the CXFS private network.
If you use I/O fencing and ipfilterd(1M) on a node, the ipfilterd configuration must allow communication between the node and the telnet(1) port on the switch.
There must be an /etc/ipfilterd.conf file configured on each node on which you want to filter IP traffic. The files will be similar except for the first set of lines, which are node-dependent; that is, the lines in the file for NodeA must match the networking interfaces on which the network traffic may pass for NodeA.
The systune(1M) variable ipfilterd_inactive_behavior must be set to 0, which means that the filter will be disabled as soon as ipfilterd is terminated using the killall(1M) command.
The ipfilterd flag to chkconfig(1M) must be turned on for each node where ipfilterd will run. For example:
nodeA# chkconfig ipfilterd on |
If any network interface name is changed on a system, you must update the /etc/ipfilterd.conf file to include the change in the appropriate accept line. That is:
accept -i changed_or_new_interface |
For debugging purposes, each dropped packet will log a message similar to the following in the syslog file:
May 24 16:44:44 5A:rodin unix: NOTICE: ipfilter(cache) - packet dropped: 10.1.1.5 SPT=137 DPT=137 UDP |
If you want to disable the filtering, such as in the case where it is blocking wanted traffic, do the following:
Kill the ipfilterd daemon:
nodeA# killall ipfilterd |
Turn off the ipfilterflag flag:
nodeA# chkconfig ipfilterd off |
Following is a sample file for NodeA:
nodeA# cat ipfilterd.conf # # ipfilterd.conf for NodeA # # # Filters follow: # # Do not restrict traffic on any of the interfaces for NodeA, # except from ef1 (CXFS heartbeat) # accept -i lo0 accept -i ef0 accept -i eg0 accept -i eg1 accept -i lb0 # # Restrict access over the CXFS heartbeat network # Interface ef1 # # Accept any fragment, reassembly won't work if first fragment filtered out. accept -i ef1 ip.off>0 # CXFS is using RPC, need portmapper. accept -i ef1 udp.port 111 accept -i ef1 tcp.port 111 # fs2d daemon is dynamically assigning ports in range 600-1023. # We need port definition (sport + dport for both directions). accept -i ef1 tcp.sport>=600 and tcp.sport<=1023 accept -i ef1 tcp.dport>=600 and tcp.dport<=1023 # sgi-cad defaults to 5435/tcp accept -i ef1 tcp.port 5435 # sgi-crsd # Each node opens 7500/udp, both directions needed accept -i ef1 udp.port 7500 # Uncomment the line below for CXFS client-only node. # accept -i ef1 udp.port 5449 # CXFS kernel ports 5450-5453 # Connections in both directions so open dport and sport. accept -i ef1 tcp.port 5450 accept -i ef1 tcp.port 5451 accept -i ef1 udp.port 5452 accept -i ef1 udp.port 5453 # fs2d client are using ports in range 7000-8500 accept -i ef1 tcp.dport>7000 accept -i ef1 udp.dport>7000 # Uncomment the line below for IO fencing only if switches are on CXFS private network # (ip.src is the switch address) # accept -i ef1 tcp.sport=23 and ip.src=10.1.1.6 # Let icmp traffic pass, especially 'PORT UNREACHABLE ICMP packet' accept -i ef1 icmp # Reject the rest (-l will log any rejected packet to the SYSLOG) reject -i ef1 -l |