Configuring PowerHA SystemMirror with IP security filter rules

Edit online

You must enable specific ports for cluster commands and for cluster services to work correctly.

About this task

If you manually configure IP security filter rules, or if you use a tool such as AIX® Security Expert, which creates filter rules, you must ensure that those rules do not affect the ports that are used by PowerHA® SystemMirror®, Cluster Aware AIX, and Reliable Scalable Cluster Technology (RSCT).

To use the IP security filter rules for cluster services, which you configured manually, complete the following steps:

Procedure

  1. From the command line, enter smitty tcpip.
  2. In SMIT, select Configure IP Security > Advanced IP Security Configuration > Configure IP Security Filter Rules > Add an IP Security Filter Rule and press Enter.
  3. From the Add an IP Security Filter Rule menu, enter the values for a single port according to the following table.
    Table 1. Valid port numbers and values for the Add an IP security filter rule menu in SMIT
    Source port number / ICMP type Rule action Protocol Source port / ICMP type operation Description
    0 permit icmp any The clcomd daemon uses ICMP to identify a working IP address to connect to a node.
    512 deny all le Blocks all port numbers that are less than 512.
    1023 permit all le Opens all port numbers that are less than 1024.
    6174 permit all eq The clinfo_client daemon uses this port number for the clstat utility and other clinfo applications.
    6175 permit all eq The clm_smux daemon uses this port number for Simple Network Management Protocol (SNMP) smux peer operations.
    6176 permit all eq The clinfo_deadman daemon uses this port number for clinfo monitoring operations.
    6180 permit all eq The emsvcs command uses this port number for RSCT events.
    6270 permit all eq The clsmuxpd daemon uses this port number for SNMP operations.
    12348 permit all eq The cthags command uses this port number for RSCT group services.
    16191 permit all eq The clcomd daemon uses this port number during the migration process from a prior release of PowerHA SystemMirror
  4. Repeat steps 1-3 for each port that is listed in the Table 1 table.