- This example details the steps required for a single node. This process must be repeated across all nodes in your system.
- Users upgrading their systems from HCI 1.6.1 to later versions of HCI who currently have existing signal sources and scripts executed will not receive syslog messages until these firewall scripts are rerun on their upgraded system.
- Prior to running the scripts, ensure that the firewall service is enabled.
- While running the scripts, users may enounter errors due to nmcli not working as a result of NetworkManager being disabled. To enable it, type: systemctl start NetworkManager
- After the scripts have concluded, you will need to restart HCI.
The following is an example of what a hardened HCI cluster running CentOS Linux 7.4.1708 (Core) would look like if it was set up to ONLY allow HCI to run from within it.
The following firewall scripts are now located in <hci_install_directory>/bin:
- hciConfigFirewallExample.sh
- hciFirewallExampleUtils
- hciProcessFirewall
To run the example script on your system, execute hciConfigFirewallExample.sh.
The following firewalld example was created using our proprietary script. It is compatible with HCI versions 1.5 and later.
This script IS NOT officially supported or licensed by Hitachi Vantara. Usage of this script assumes all risks and responsibilities associated with it. Also, based on your personal network and system settings, your mileage with its usage and implementation may vary. Contact your system administrator if you have any network security or firewall concerns.
Network interfaces examples | |
---|---|
ens160 : 172.18.118.111 | In the following config example, this network interface is the external non-trusted interface. |
ens192 : 172.118.110.111 | In the following config example, this network interface is the internal trusted interface. |
Zone setup | |
---|---|
Default Zone | drop |
Active Zones |
HCI-External trusted HCI-AdminApp-Mon |
To view your current settings: firewall-cmd --list-all --zone=drop | |
---|---|
target | DROP |
icmp-block-inversion | no |
interfaces | <blank> |
sources | <blank> |
services | <blank> |
ports | <blank> |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=HCI-External | |
---|---|
target | DROP |
icmp-block-inversion | no |
interfaces | ens160 |
sources | <blank> |
services | ssh |
ports | 8000/tcp 8888/tcp 6162/tcp |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=trusted | |
---|---|
target | ACCEPT |
icmp-block-inversion | no |
interfaces | ens192 |
sources | <blank> |
services | <blank> |
ports | <blank> |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=HCI-AdminApp-Mon | |
---|---|
target | default |
icmp-block-inversion | no |
interfaces | <blank> |
sources | ipset:HCI-Cluster-External |
services | <blank> |
ports | <blank> |
protocols | tcp |
masquerade | no |
forward-ports | <blank> |
source-ports | 18000/tcp |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: ipset list | |
---|---|
Name | default |
Type | no |
Revision | <blank> |
Header | ipset:HCI-Cluster-External |
Size in memory | <blank> |
References | <blank> |
Members |
<IP_ADDRESS_FOR_NODE_1> <IP_ADDRESS_FOR_NODE_2> <IP_ADDRESS_FOR_NODE_3> <IP_ADDRESS_FOR_NODE_4> Note: These values would be filled with the specific IP addresses for each of your system nodes.
|
To view your current settings: iptables -S |
---|
|