|
Re: [Networker] Networker Firewall Setings
2010-01-26 08:15:47
On 1/25/10 1:27 PM, psoni wrote:
Thanks Frank for the useful info.
Yes, there is a NetScreen firewall system between Networker server (7.5.1.4)
and a cleint (7.5.1.4).
So I will do the following. Let me know if I am wrong.
[1] Calculate the # of service ports using the formula
12 + (2*devices) + jukeboxes
This comes to 23 so I will set service ports to 7937-7985 (a few extra)
As I attempted to imply in my first note -- you do not want to
explicitly include ports 7937 and 7938 in the value you give to nsrports
-S. This is because effective with version 7.5, EMC has managed to
break the port assignment code so that if those two ports are in the
values, they get used by the *wrong* daemons. Why do you want to set up
a few extra? If you know you need 23, set it to 23... So, use
nsrports -S 7939-7959
Just remember that when you start nsrexecd up, that it will also use
7937 and 7938 because that's the way it was coded. EMC has finally
added a note about this in the 7.6 Admin Guide. I still haven't
convinced them that since you could have 7937 and 7938 in the list in
7.4 (and below) that they have introduced a gotcha that a working
pre-7.5 client when upgraded and started up for the first time ....
doesn't reliably start! (sigh)
[2] Modify nsrports on the server, storage nodes, and the clients
(will keep the values same for simplicity)
> nsrports
service ports: 7937 - 7985 (a few extra)
connection ports: 10001 - 10200 (not sure if 200 would be enough)
Question:
What is the formula to decide the connection ports ?
As someone else responded to you, the connection ports are the ports
that you allow the non-daemon commands that run and need ports on the
local machine to use. Here, I can't help you, because I don't use
them. However, I think you are going to need to figure out how many
concurrently running non-daemon programs you can have (what's your
parallelism set to) and then probably double it to be safe. As you have
a firewall in the network between your server and your client, you are
going to need to muck with this value (sadly) or else, you are going to
have to open a very big hole to allow any port to talk to any port in
both directions.
[3] nsrports on the client which is behind a firewall
> nsrports
service ports: 7937 - 7945
connection ports: 10001 - 10200
Why? You know that the client only needs 4 service ports. Set it to
service ports 7939-7940 and be done with it.
[4] Restart nsrexecd on every host
[4] Implement the following rule in firewall between Networker server and
a client.
Networker server to client :
TCP/UDP
7937 - 7945 (for services)
10001 - 10200 (for connection) - I believe 100 would be enough
Again, I'd open just 7937-7940 for the services. I believe you are
correct that 100 would be enough.
Client to Networker server:
TCP/UDP
7937 - 7985 (for services)
10001 - 10200 (for connection)
I'm not sure that 100 ports for connections from the server to the
client are going to be enough -- it really depends on how many save
groups you run at the same time and the number of save sets each of them
runs in parallel -- plus a few more for the indexes for each of those
save groups.
Again, I don't think you need use more than 7937-7959 for the service ports.
Do I need to worry about mgmt console ? It is running on the Networker server.
Will you be running the mgmt console (NMC) java code on this client? If
you will, then yes, you need to worry about it. It's documented in the
Admin guide which ports it needs -- if you used the defaults, you need
at a minimum to have 9000, 9001 and 2838 (IIRC) open from the client to
the server -- and you need to have everything open from the server to
the client unless you can find a way to limit which ports the NMC java
code on the client opens to talk to the server.
What about TCP 111 -sunRPC ?
EMC keeps saying that they don't use it.... I know they do, everyone
knows they do.... but I block it anyway.... it slows some things down,
but it doesn't break them.... EMC really wants to use (udp) 7938 for
that function.
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|
