Firewalls
Port list
Ondat daemons listen on specific ports, which we require to be accessible between all nodes in the cluster:
Port Number | TCP/UDP | Use |
---|---|---|
5701 | tcp | gRPC |
5702 | tcp | Prometheus |
5703 | tcp | DirectFS |
5704 | tcp | Dataplane health check |
5705 | tcp | REST API |
5706 | tcp | ETCD service |
5707 | tcp | ETCD service |
5708 | tcp | NATS service |
5709 | tcp | NATS service |
5710 | tcp | NATS service |
5711 | tcp & udp | Gossip service |
Ondat also uses ephemeral ports to dial-out to these ports on other Ondat nodes. For this reason, outgoing traffic should be enabled.
Firewalls and VPS providers
Some VPS providers (such as Digital Ocean) ship default firewall rulesets which must be updated to allow Ondat to run. Some example rules are shown below - modify to taste.
UFW
For distributions using UFW, such as RHEL and derivatives:
ufw default allow outgoing
ufw allow 5701:5711/tcp
ufw allow 5711/udp
Firewalld
For distributions that enable firewalld to control iptables such as some installations of OpenShift.
firewall-cmd --permanent --new-service=storageos
firewall-cmd --permanent --service=storageos --add-port=5700-5800/tcp
firewall-cmd --add-service=storageos --zone=public --permanent
firewall-cmd --reload
Iptables
For those using plain iptables:
# Inbound traffic
iptables -I INPUT -i lo -m comment --comment 'Permit loopback traffic' -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -m comment --comment 'Permit established traffic' -j ACCEPT
iptables -I INPUT -p tcp --dport 5701:5711 -m comment --comment 'Ondat' -j ACCEPT
iptables -I INPUT -p udp --dport 5711 -m comment --comment 'Ondat' -j ACCEPT
# Outbound traffic
iptables -I OUTPUT -o lo -m comment --comment 'Permit loopback traffic' -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -m comment --comment 'Permit outbound traffic' -j ACCEPT
Please ensure that the iptables rules you have added above come before any default DROP or REJECT rules.