Manualshelf

HP Serviceguard for Linux Version A.11.16 Release Notes, Third Edition, August 2006

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux RH AS ProLiant Cluster
11121314151617181920
Serviceguard for Linux Version A.11.16 Release Notes
Compatibility Information and Installation Requirements
Chapter 118
System Firewalls
When using a system firewall such as IPFilter with Serviceguard,
specific communications must be allowed to ensure proper cluster
operation. General guidelines for using a system firewall with
Serviceguard are listed below.
To enable intra-cluster communications, each HEARTBEAT_IP
network on every node within the cluster must allow the following
communications in both directions with all other nodes in the cluster:
tcp on port numbers 5300-5304, and 5408 - and allow only
packets with the SYN flag
udp on port numbers 9, 5300, and 5302
tcp and udp on dynamic ports (typically 49152-65535)
If your Serviceguard configuration uses a quorum server, all nodes
within the cluster must allow the following communication to the
quorum server IP address:
tcp on port 1238 - and allow only packets with the SYN flag
Any node providing quorum service for another cluster must allow
the following communication from that cluster’s nodes:
tcp on port 1238 - and allow only packets with the SYN flag
Running the cmscancl command requires the “shell” port be open.
There are additional firewall considerations to enable execution of
Serviceguard commands from nodes outside the cluster, such as those
listed in cmclnodelist. To allow execution of Serviceguard commands,
follow the guidelines below.
All nodes in the cluster must allow the following communications:
from the remote nodes:
tcp on ports 5302 - and allow only packets with the SYN flag
udp on port 5302
to the remote nodes:
tcp and udp on port numbers 49152-65535