GlusterFS firewall rules

GlusterFS firewall rules

Category : How-to

Get Social!

gluster-orange-antIf you can, your storage servers should be in a secure zone in your network removing the need to firewall each machine. Inspecting packets incurs an overhead, not something you need on a high performance file server so you should not run a file server in an insecure zone. If you are using GlusterFS behind a firewall you will need to allow several ports for GlusterFS to communicate with clients and other servers. The following ports are all TCP:

Note: the brick ports have changed since version 3.4. 

  • 24007 – Gluster Daemon
  • 24008 – Management
  • 24009 and greater (GlusterFS versions less than 3.4) OR
  • 49152 (GlusterFS versions 3.4 and later) – Each brick for every volume on your host requires it’s own port. For every new brick, one new port will be used starting at 24009 for GlusterFS versions below 3.4 and 49152 for version 3.4 and above. If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 49153).
  • 38465 – 38467 – this is required if you by the Gluster NFS service.

The following ports are TCP and UDP:

  • 111 – portmapper


8 Comments

khoi

30-Sep-2013 at 2:53 pm

There have been changes of port creation of volumes starting on glusterfs release 3.4.1

https://forge.gluster.org/gluster-docs-project/pages/GlusterFS_34_Release_Notes

    james.coyle

    30-Sep-2013 at 3:04 pm

    Thanks for the info, Khoi – I have updated the post.

Michael Kennedy

19-Mar-2014 at 10:38 am

The NFS ports are incorrect. 38465:38467. The highlighted characters have been transposed.

http://gluster.org/community/documentation/index.php/Gluster_3.2:_Installing_GlusterFS_on_Red_Hat_Package_Manager_(RPM)_Distributions

    james.coyle

    19-Mar-2014 at 12:50 pm

    Thanks for spotting the typo – post updated.

Alexander

25-Jun-2014 at 11:50 am

Another minor typo :)

If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 59153).

That should probably be:

If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 49153).

    james.coyle

    25-Jun-2014 at 12:23 pm

    Good catch – thank you.

Ernie Dunbar

1-Feb-2017 at 4:48 pm

The problem with completely cutting your Gluster servers off from the rest of the internet, is that you need the internet to perform server upgrades in most cases.

Other than that, I suppose that’s a fine strategy.

    Peter Crowther

    9-Nov-2018 at 4:04 pm

    Some of the systems I manage are used for medical research and the like, and are therefore heavily regulated. We keep our package repositories in house, so that we know when we’ve updated them and can update on our test network before we take anything live. Use cases vary – I’d much rather have systems that were easier to update, but when you have lives on the line if you get it wrong then you put the effort into getting it right :-).

Leave a Reply

Visit our advertisers

Quick Poll

Are you using Docker.io?

Visit our advertisers