Danny Roberts napsal(a):
When using Corosync with two rings via multi-cast addresses 226.94.1.1 (Port 5405) & 226.94.1.2 (Port 5406) what iptables rules are required to allow two
This is incorrect. There is always port and port - 1 used by each ring. So you can't use 5406 because 5405 will be used by both ring 0 and ring 1. Use 5407 for second ring.
nodes to communicate optimally without giving any undue access and making the rules too lenient? I current have: iptables -A INPUT -p udp -m multiport --dports 5404,5405,5406 -j ACCEPT Will that allow all the communication a Corosync/Pacemaker setup requires for both rings?
It should but keep in mind that igmp messages must be enabled.
I have heard arguments that something like: iptables -I INPUT 1 -m pkttype --pkt-type multicast -j ACCEPT is required. However I cannot seem to replicate a situation where this assists if the first rule I listed above is already in place. The Red Hat documentation would seem to support the first approach. There is some IBM documentation espousing the second but is it just a case of a rule that is far too lenient when the first would do the job equally well whilst leaving no unnecessary ports open?
In theory enabling igmp messages + selected ports should be enough. Regards, Honza
_______________________________________________ discuss mailing list discuss@xxxxxxxxxxxx http://lists.corosync.org/mailman/listinfo/discuss
_______________________________________________ discuss mailing list discuss@xxxxxxxxxxxx http://lists.corosync.org/mailman/listinfo/discuss
