You might wonder, but yes, Veritas is still alive and there are customers that use it and are very happy with it. Recently we upgraded a large cluster from Veritas 5/RHEL5 to Veritas InfoScale 7.3/RHEL7 and I must say that the migration was straight forward and very smooth (when I have time I’ll write another post specific to the migration). At a point in time during this project the requirement to enable the firewall on the Linux hosts came up so we needed to figure out all the ports and then setup the firewall rules for that. This is how we did it…
The first step was to create a new zone because we did not want to modify any of the default zones:
root@:/home/oracle/ [] firewall-cmd --permanent --new-zone=OracleVeritas root@:/home/oracle/ [] firewall-cmd --reload success root@:/home/oracle/ [] firewall-cmd --get-zones OracleVeritas block dmz drop external home internal public trusted work
The ports required for Veritas InfoScale are documented here. This is the set of ports we defined:
##### SSH root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-service=ssh ##### Veritas ports root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=4145/udp # vxio root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=4145/tcp # vxio root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=5634/tcp # xprtld root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=8199/tcp # vras root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=8989/tcp # vxreserver root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14141/tcp # had root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14144/tcp # notifier root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14144/udp # notifier root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14149/tcp # vcsauthserver root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14149/udp # vcsauthserver root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14150/tcp # CmdServer root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14155/tcp # wac root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14155/udp # wac root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14156/tcp # steward root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14156/udp # steward root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=443/tcp # Vxspserv root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=49152-65535/tcp # vxio root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=49152-65535/udp # vxio #### Oracle ports root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=1521/tcp # listener root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=3872/tcp # cloud control agent
Because we wanted the firewall only on the public network, but not on the interconnect we changed the interfaces for the zone:
root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=bond0 root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=eth0 root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=eth2
One additional step to make this active is to add the zone to the interface configuration (this is done automatically if the interfaces are under control of network manager):
root@:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-eth0 root@:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-eth2 root@:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-bond0
Restart the firewall service:
root@:/home/oracle/ [] systemctl restart firewalld
… and it should be active:
root@:/home/postgres/ [] firewall-cmd --get-active-zones OracleVeritas interfaces: eth0 eth2 bond0 public interfaces: eth1 eth3 root@:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --list-all OracleVeritas (active) target: default icmp-block-inversion: no interfaces: bond0 eth0 eth2 sources: services: ports: 4145/udp 4145/tcp 5634/tcp 8199/tcp 8989/tcp 14141/tcp 14144/tcp 14144/udp 14149/tcp 14149/udp 14150/tcp 14155/tcp 14155/udp 14156/tcp 14156/udp 443/tcp 49152-65535/tcp 49152-65535/udp 1521/tcp 3872/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Just for completeness: You can also directly check the configuration file for the zone:
root@:/home/oracle/ [] cat /etc/firewalld/zones/OracleVeritas.xml
Hope this helps …