You might wonder, but yes, Veritas is still alive and there are customers that use it and are very happy with it. Recently we upgraded a large cluster from Veritas 5/RHEL5 to Veritas InfoScale 7.3/RHEL7 and I must say that the migration was straight forward and very smooth (when I have time I’ll write another post specific to the migration). At a point in time during this project the requirement to enable the firewall on the Linux hosts came up so we needed to figure out all the ports and then setup the firewall rules for that. This is how we did it…
The first step was to create a new zone because we did not want to modify any of the default zones:
[email protected]:/home/oracle/ [] firewall-cmd --permanent --new-zone=OracleVeritas [email protected]:/home/oracle/ [] firewall-cmd --reload success [email protected]:/home/oracle/ [] firewall-cmd --get-zones OracleVeritas block dmz drop external home internal public trusted work
The ports required for Veritas InfoScale are documented here. This is the set of ports we defined:
##### SSH [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-service=ssh ##### Veritas ports [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=4145/udp # vxio [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=4145/tcp # vxio [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=5634/tcp # xprtld [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=8199/tcp # vras [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=8989/tcp # vxreserver [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14141/tcp # had [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14144/tcp # notifier [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14144/udp # notifier [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14149/tcp # vcsauthserver [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14149/udp # vcsauthserver [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14150/tcp # CmdServer [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14155/tcp # wac [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14155/udp # wac [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14156/tcp # steward [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=14156/udp # steward [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=443/tcp # Vxspserv [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=49152-65535/tcp # vxio [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=49152-65535/udp # vxio #### Oracle ports [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=1521/tcp # listener [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --permanent --add-port=3872/tcp # cloud control agent
Because we wanted the firewall only on the public network, but not on the interconnect we changed the interfaces for the zone:
[email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=bond0 [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=eth0 [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --change-interface=eth2
One additional step to make this active is to add the zone to the interface configuration (this is done automatically if the interfaces are under control of network manager):
[email protected]:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-eth0 [email protected]:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-eth2 [email protected]:/home/oracle/ [] echo "ZONE=OracleVeritas" >> /etc/sysconfig/network-scripts/ifcfg-bond0
Restart the firewall service:
[email protected]:/home/oracle/ [] systemctl restart firewalld
… and it should be active:
[email protected]:/home/postgres/ [] firewall-cmd --get-active-zones OracleVeritas interfaces: eth0 eth2 bond0 public interfaces: eth1 eth3 [email protected]:/home/oracle/ [] firewall-cmd --zone=OracleVeritas --list-all OracleVeritas (active) target: default icmp-block-inversion: no interfaces: bond0 eth0 eth2 sources: services: ports: 4145/udp 4145/tcp 5634/tcp 8199/tcp 8989/tcp 14141/tcp 14144/tcp 14144/udp 14149/tcp 14149/udp 14150/tcp 14155/tcp 14155/udp 14156/tcp 14156/udp 443/tcp 49152-65535/tcp 49152-65535/udp 1521/tcp 3872/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Just for completeness: You can also directly check the configuration file for the zone:
[email protected]:/home/oracle/ [] cat /etc/firewalld/zones/OracleVeritas.xml
Hope this helps …