On Thu, Oct 5, 2017 at 9:30 PM, Stefan Kooman <stefan@xxxxxx> wrote: > Hi, > > While implementing (stricter) firewall rules I noticed weird behaviour. > For the monitors only port 6789 was allowed. We currently co-locate the > manager daemon with our monitors. Apparently (at least) port 6800 is > also essential. In the Network Configuration Reference [1] there is no > mention of the iptables rules needed for the manager. > The figure depicting request / response within / between the client / > nodes in the network does not yet describe interaction with manager. This was an oversight in the docs (oops), I've just merged the PR that updated the firewall page on the master branch here (https://github.com/ceph/ceph/pull/17974). > Do you need to open up port 6800(:7300?) completely, or is it enough to > only allow traffic between manager(s) <-> monitor(s)? The former: you need to open it up in general, because the OSDs and other daemons will also need to report to the manager. > > Gr. Stefan > > P.s. How can one contribute to the documentation? The docs are in the ceph git repo under doc/ -- you can clone the git repository and work on them the same way as code, or for very simple changes you can also use the github web UI to edit a file. The downside to the github UI is that once you've opened PR you can't then update it, so I would only use it for tiny changes. There is some more information here: https://github.com/ceph/ceph/blob/master/doc/start/documenting-ceph.rst Cheers, John > > [1]: http://docs.ceph.com/docs/luminous/rados/configuration/network-config-ref/ > > > -- > | BIT BV http://www.bit.nl/ Kamer van Koophandel 09090351 > | GPG: 0xD14839C6 +31 318 648 688 / info@xxxxxx > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |