Using SuSEfirewall2 with Novell Cluster Services (NCS)

  • 7002738
  • 16-Mar-2009
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 1 (OES 1)
Novell Open Enterprise Server 2 (OES 2)
Novell SUSE Linux Enterprise Server 9
Novell SUSE Linux Enterprise Server 10
Novell Cluster Services

Situation

The default configuration of SuSEfirewall2 does not allow NCS traffic (IP protocol 224) through interfaces defined in the EXT zone. This prevents NCS cluster nodes from joining the cluster. (The first node will start the cluster successfully. However, secondary nodes fail to communicate with the master, and end up stuck in a "joining" state.)

Resolution

In order for NCS nodes to communicate properly, any firewall between nodes must be configured to allow communication through the following ports and protocols:

         TCP port 7023
         IP protocol 224

When using SuSEfirewall2, the necessary changes can be made from the YaST | Security and Users | Firewall module. These firewall changes must be done on all nodes of the cluster. However, the default configuration on many servers places the interfaces in the EXT firewall zone. While TCP port 7023 can be allowed through interfaces in this zone, the default EXT zone configuration contains a rule which drops all broadcast traffic. This rule also causes all NCS traffic (IP protocol 224) to be dropped.

There are several ways to avoid this problem:
  1. Enable broadcast packets in the EXT zone.
    • The rule to drop all broadcast packets in the EXT zone can be disabled by setting the following value in the /etc/sysconfig/SuSEfirewall2 configuration file:    FW_ALLOW_FW_BROADCAST_EXT="yes"
    • Restart SuSEfirewall2 using `rcSuSEfirewall2 restart`.

  2. Assign the server interfaces to a zone other than EXT.
    • The EXT zone is the only zone which prevents all broadcast packets. The YaST | Security and Users | Firewall module can be used to assign the interfaces to the INT or DMZ zones, rather than the EXT zone.  (Custom zones can also be created by adding a new zone name to the FW_ZONES field in /etc/sysconfig/SuSEfirewall2.)
    • Restart SuSEfirewall2 using `rcSuSEfirewall2 restart`.

  3. A custom rule can be used to allow NCS protocol packets prior to the rule which drops all broadcast packets.
    • In the /etc/sysconfig/SuSEfirewall2 configuration file, set FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    • In the /etc/sysconfig/scripts/SuSEfirewall2-custom file, add the desired custom rule to the "fw_custom_before_port_handling" section. A sample rule that allows the 224 protocol is:
      iptables -I INPUT 1 -m pkttype --pkt-type broadcast -p 224 -j ACCEPT
    • Restart SuSEfirewall2 using `rcSuSEfirewall2 restart`.

  4. If the environment is secure, disabling SuSEfirewall2 is another possible resolution to this issue.
    • insserv -r SuSEfirewall2_init SuSEfirewall2_setup
    • rcSuSEfirewall stop
Once the firewall configuration has been modified, restarting NCS (using `rcnovell-ncs restart`) will allow the secondary cluster nodes to join the cluster successfully.