On 24.07.2013 13:11, Nux! wrote: > On 24.07.2013 08:50, Nux! wrote: >> Hi, >> Can someone help with this? I need to setup a firewall around a >> gluster (3.4) setup and I wouldn't like my clients to become peers. >> :) >> So the ports I'd need to watch for would be: >> management traffic (aka `gluster peer` operations etc) - 24007/tcp, >> 24008/tcp, 24009+/tcp (for the bricks) >> client traffic (so clients can mount & use the volume, but not become >> peers) - ??? >> nfs traffic - 111/udp, 111/tcp & 38465-38468/tcp > > Just noticed 24009 needs to be open for the NFS to work (doh!). > > I'm still waiting for clarifications on which ports I need to open in > order to allow client mounts, but not "peer" requests. Thanks to JoeJulian on IRC for explaining to me, turns out there's no separation that would allow port based restriction. So, in theory if a client can connect and mount a volume it can also issue "peer" commands, however - luckily - once a glusterfs deployment is setup an external node is not authorised to become a peer. For "peer probe" to work it needs to be initialised by an existing node. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
