Creating outbound firewall rules
To create custom outbound firewall rules
Use the following command:
vinfra cluster network set --add-outbound-allow-list <rules> <network>
--add-outbound-allow-list <rules>
-
A comma-separated list of allow rules in the format:
<address>:<protocol>:<port>:<description>
, where:<address>
is a single IP address (10.10.10.10), address range (10.10.10.0-10.10.10.10), or subnet CIDR (10.10.10.0/32)<protocol>
can beudp
,tcp
, orany
<port>
is an integer value (22) or a range (20-22)<description>
usually contains the name of the service that uses the specified port
<network>
- Network ID or name
The cases when you need to create an additional rule are the following:
-
If you connect a remote iSCSI device to your cluster node, manually add a rule specifying the port number used for connecting this iSCSI device. For example:
# vinfra cluster network set Public --add-outbound-allow-list "0.0.0.0:tcp:3260:Remote iSCSI"
-
If you plan to change the network configuration and IP address assignment of your cluster nodes by using network migration, manually add a rule specifying TCP and UDP ports 60000–60100. For example:
# vinfra cluster network set Public --add-outbound-allow-list \ "0.0.0.0:tcp:60000-60100:Network migration","0.0.0.0:udp:60000-60100:Network migration"
-
If you plan to reassign an exclusive traffic type from one network to another, manually add rules specifying TCP and UDP ports 60000–60100 for both networks. For example:
# vinfra cluster network set Public --add-outbound-allow-list \ "0.0.0.0:tcp:60000-60100:Network migration","0.0.0.0:udp:60000-60100:Network migration" # vinfra cluster network set MyNet --add-outbound-allow-list \ "0.0.0.0:tcp:60000-60100:Network migration","0.0.0.0:udp:60000-60100:Network migration"
-
If you enable user authentication in an NFS share with Kerberos V5, manually add rules specifying TCP ports 88 and 749, UDP port 88, and the Kerberos server IP address. For example, if the IP address of the Kerberos server is 10.128.168.20, run:
# vinfra cluster network set Public --add-outbound-allow-list \ "10.128.168.20:tcp:88:Kerberos","10.128.168.20:tcp:749:Kerberos",\ "10.128.168.20:udp:88:Kerberos"
-
If you configure a custom port for a particular service, manually add a rule specifying the used port number. For example:
# vinfra cluster network set Public --add-outbound-allow-list "0.0.0.0:udp:161:Zabbix"