Firewall recommendations for protocol access
It is recommended to use certain port numbers to secure the protocol data transfer.
Recommendations for NFS access
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
2049 | TCP and UDP | NFSV4 or NFSV3 | NFS clients and IBM Spectrum Scale protocol node |
111 | TCP and UDP | RPC (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
User-defined static port | TCP and UDP | STATD (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
User-defined static port | TCP and UDP | MNT (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
User-defined static port | TCP and UDP | NLM (required only by NFSV3) | NFS clients and IBM Spectrum Scale protocol node |
User-defined static port | TCP and UDP |
RQUOTA (required by both NFSV3 and NFSV4) |
NFS clients and IBM Spectrum Scale protocol node |
- Review your systems /etc/services file in order to select the static ports
to use for MNT, NLM, STATD, and RQUOTA services that are required by the NFSV4 server. Do not use a
port that is already used by another application. Set the static ports by using the mmnfs
config change command. Allow TCP and UDP port 2049 to use the protocol node IPs. For
example:
mmnfs config change MNT_PORT=32767:NLM_PORT=32769:RQUOTA_PORT=32768:STATD_PORT=32765
- Allow all external communications on TCP and UDP port 111 by using the protocol node IPs.
- Allow all external communications on the TCP and UDP port that is specified with mmnfs config change for MNT and NLM ports.
- Ensure that following steps are done after making any of these changes.
- Restart NFS after changing these parameters by using the following
commands.
mmces service stop NFS -a mmces service start NFS -a
- Use rpcinfo -p to query the protocol nodes after any port changes to verify that proper ports are in use.
- Remount any existing clients because a port change might have disrupted connections.
- Restart NFS after changing these parameters by using the following
commands.
Recommendations for SMB access
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
445 | TCP | Samba | SMB clients and IBM Spectrum Scale protocol node |
4379 | TCP | CTDB | Inter-protocol node |
- Allow the access request that is coming from the data network and admin and management network on port 445 using the protocol node IPs. You can get the list of protocol node IPs by using the mmlscluster --ces command.
- Allow connection only to the requests that are coming from the IBM Spectrum Scale cluster node IPs (internal IPs and protocol node IPs) on port 4379. Block all other external connections on this port. Use the mmlscluster command to get the list of cluster node IPs.
Port usage for BLOCK service
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
3260 | TCP | BLOCK (iSCSI) | IBM Spectrum Scale protocol node (when the BLOCK service is enabled) listening on this port |
Object port configuration
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
8080 | TCP | Object Storage Proxy | Object clients and IBM Spectrum Scale protocol node |
6200 | TCP | Object Storage (local account server) | Local host |
6201 | TCP | Object Storage (local container server) | Local host |
6202 | TCP | Object Storage (local object server) | Local host |
6203 | TCP | Object Storage (object server for unified file and object access) | Local host |
11211 | TCP and UDP | Memcached (local) | Local host |
- Allow all external communications on TCP port 8080 (Object Storage proxy).
- Allow connection only from the IBM Spectrum Scale cluster node IPs (internal IPs and protocol node IPs) on ports 6200, 6201, 6202, 6203, and 11211. Block all other external connections on this port.
Shell access by non-root users must be restricted on IBM Spectrum Scale protocol nodes where the object services are running to prevent unauthorized access to object data.
Port usage for object authentication
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
5000 | TCP | Keystone Public | Authentication clients and object clients |
35357 | TCP | Keystone Internal/Admin | Authentication and object clients and Keystone administrator |
- Allow all external communication requests that are coming from the admin or management network and IBM Spectrum Scale internal IPs on port 35357.
- Allow all external communication requests that are coming from clients to IBM Spectrum Scale for object storage on port 5000. Block all other external connections on this port.
Port usage to connect to the Postgres database for object protocol
Port Number | Protocol | Service Name | Components that are involved in communication |
---|---|---|---|
5431 | TCP and UDP | postgresql-obj | Inter-protocol nodes |
Consolidated list of recommended ports that are used for installation, internal communication, and protocol access
Function | Dependent network service names | External ports that are used for file and object access | Internal ports that are used for inter-cluster communication | UDP / TCP | Nodes for which the rules are applicable |
---|---|---|---|---|---|
Installer | Chef | N/A | 8889 (chef) 10080 (repo) |
TCP | GPFS server, NSD server, protocol nodes |
GPFS (internal communication) | GPFS | N/A | 1191 (GPFS) 60000-61000 for tscCmdPortRange 22 for SSH |
TCP and UDP TCP only for 22 |
GPFS server, NSD server, protocol nodes |
SMB | gpfs-smb.service gpfs-ctdb.service rpc.statd |
445 | 4379 (CTDB) | TCP | Protocol nodes only |
NFS | gpfs.ganesha.nfsd rpcbind rpc.statd |
2049 (NFS_PORT - required only by NFSV3) 111 (RPC - required only by NFSV3) 32765 (STATD_PORT) 32767 (MNT_PORT - required only by NFSV3) 32768 (RQUOTA_PORT - required by both NFSV3 and NFSV4) 32769 (NLM_PORT - required only by NFSV3) Note: Make the dynamic ports static with command mmnfs
config change .
|
N/A | TCP and UDP | Protocol nodes only |
Object | swift-proxy-server keystone-all postgresql-obj |
8080 (proxy server) 35357 (keystone) 5000 (keystone public) |
5431 (Object Postgres instance) 6200-6203 (Object Storage) 11211 (Memcached) |
TCP TCP and UDP (for 11211 only) |
Protocol nodes only |