Skip to main content

Hello,

 

I am trying to test the application validation
for the first attempt some flow have been blocked by physical firewalls, I opened the ports 2049, 2050 and 111 from ESXi to HSX nodes.

I still have the issue, we checked on the physical FW logs and  we see that the ports are allowed

Is there any flow to open on the internal firewall firewall-cmd ? 2049, 2050 and 111 ?

 

Thanks !

Hi ​@BloopaAgain 

Do we have firewalld enabled on HSX? I don’t see port 2050 part of a any predefined XML. NFS is using port 2049 which is part of the block zone. 111 is part of rpcbind service.

Verify if we can telnet to HSX nodes from ESX on port 2049 & 2050.

Regards,


Hello ​@R Anwar , yes firewall is enabled, netcat from esxi to HSX on 2049, 2050 and 111 KO

Here is the output :

 

>root@hsx02 ~]# firewall-cmd --get-default-zone
block

proot@hsx02 ~]# firewall-cmd --get-active-zones
block
  interfaces: bond1
cv_storage_zone
  interfaces: bond2

2root@hsx02 ~]# firewall-cmd --list-all
block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: bond1
  sources:
  services: commvault nfs nfs3 ntp rpc-bind ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
 

 


It is defninitively an issue with internal firewall

from hsx1 to hsx2 I cannot reach the port 2049, 111

 

on hsx 2 ports are listening

tcp           LISTEN         0              128   0.0.0.0:22                         0.0.0.0:*           users:(("sshd",pid=1455681,fd=3))
tcp           LISTEN         0              128   ::]:111                            ::]:*             users:(("rpcbind",pid=2878,fd=6),("systemd",pid=1,fd=116))  
tcp           LISTEN         0              100   *:2049                             *:*                 users:(("3dnfsd.exe",pid=3483922,fd=3))


Hi ​@BloopaAgain 

Try the following steps and let me know if it helps. Do this only on HSX2

vi /etc/firewalld/services/hedvig.xml

Add line
<port protocol="tcp" port="111"/>             <!-- rpc-bind →

Restart firewalld service on hsx2 and see if you can connect on port 111 from hsx1

Regards,


111 is already present

but nc from hsx1 to hsx2 on port 111 doesn’t work.

but nc from hsx1 to hsx2 on port 22 works

I have a ticket opened, I let you know

 

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Hedvig services</short>
  <description></description>
  <port protocol="tcp" port="2181"/>            <!-- Server Event Manager -->
  <port protocol="tcp" port="2224"/>            <!-- PCSD/Pacemaker/Corosync -->
  <port protocol="tcp" port="3000"/>            <!-- Zookeeper -->
  <port protocol="tcp" port="3121"/>            <!-- Pacemaker -->
  <port protocol="tcp" port="4000"/>            <!-- Zookeeper -->
  <port protocol="tcp" port="4321"/>            <!-- NFS Lock server -->
  <port protocol="tcp" port="7000-7006"/>       <!-- Gossip/Thrift -->
  <port protocol="tcp" port="7010"/>            <!-- Gossip/Thrift -->
  <port protocol="tcp" port="7100"/>            <!-- Gossip/Thrift -->
  <port protocol="tcp" port="7500"/>            <!-- Gossip/Thrift -->
  <port protocol="tcp" port="8000"/>            <!-- Gossip/Thrift -->
  <port protocol="tcp" port="8750"/>            <!-- rquotad server -->
  <port protocol="tcp" port="8777-8778"/>       <!-- Gossip/Thrift -->
  <port protocol="tcp" port="8090-8096"/>       <!-- Gossip/Thrift -->
  <port protocol="tcp" port="11001"/>           <!-- Gossip/Thrift -->
  <port protocol="tcp" port="11002"/>           <!-- Gossip/Thrift -->
  <port protocol="tcp" port="11118"/>           <!-- H-Pod CLI -->
  <port protocol="tcp" port="15000"/>           <!-- Gossip/Thrift -->
  <port protocol="tcp" port="21064"/>           <!-- Distributed Lock Manager -->
  <port protocol="tcp" port="50000-50008"/>     <!-- CVM Thrift -->
  <port protocol="tcp" port="50022"/>           <!-- CVM Thrift -->
  <port protocol="udp" port="111"/>             <!-- rpc-bind -->
  <port protocol="udp" port="1024-65535"/>      <!-- rpc-bind -->
</service>
~
 


Hi ​@BloopaAgain 

It’s because 111 is setup for UDP in FW rules. I tested the same and it only worked after I added another line with TCP. I didn’t wanted to remove UDP one yet.

Regards,


Reply