5.5 HP StorageWorks X9720 Network Storage System Administrator Guide (AW549-96026, March 2011)
3 Configuring the firewall
IMPORTANT:
To avoid unintended consequences, HP recommends that you perform the procedures in this chapter
during scheduled maintenance times.
Firewall concepts
The X9720 Network Storage System uses iptables to implement a firewall on each server. The iptables
rules allow the servers to communicate with each other and to provide appropriate NAS services to
other systems. Unless needed for a specific purpose, the general policy is to disallow traffic on all
ports. The X9720 Network Storage System firewall prevents unnecessary network traffic on the X9720
Network Storage System network infrastructure. However, it is not intended as a replacement for
normal security procedures.
Use the following command to view the current set of rules used by iptables:
# iptables --list
The firewall filters are constructed in four chains:
• MXSO-Core-Filter—Permits all traffic over local and management LAN interfaces
• MXSO-Internal-Filter—Permits X9720 cluster communications between server blades over external
interfaces
• MXSO-External-Filter—Permits external NAS communications over well known ports
• MXSO-User-Filter—Permits miscellaneous and user-defined traffic over the firewall
IMPORTANT:
Only modify the MXSO-External-Filter and MXSO-User-Filter chains. Do not modify the other chains;
they are critical to the correct operation of the system.
The original/factory firewall configuration is stored in /etc/sysconfig/iptables.mxso. Do not
modify this file.
Port usage in an X9720 Network Storage System
This section describes which ports are used by an X9720 Network Storage System. This information
can be useful if you have a firewall system sitting between an X9720 Network Storage System and
a client system.
X9720 Network Storage System Administrator Guide 23