[GitHub] andrijapanic commented on a change in pull request #13: Update Quick Installation Guide

Sun, 28 Oct 2018 02:51:21 -0700 

andrijapanic commented on a change in pull request #13: Update Quick 
Installation Guide
URL: 
https://github.com/apache/cloudstack-documentation/pull/13#discussion_r228741736
 
 

 ##########
 File path: source/quickinstallationguide/qig.rst
 ##########
 @@ -308,37 +341,50 @@ Now you'll need uncomment the configuration values in 
the file
    STATD_OUTGOING_PORT=2020
 
 Now we need to configure the firewall to permit incoming NFS connections. 
-Edit the file /etc/sysconfig/iptables
+Create firewalldnfs.sh, and add the following content to it: 
 
 .. parsed-literal::
 
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 2049 -j 
ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 32803 -j 
ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 32769 -j 
ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-   -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
-
-Now you can restart the iptables service with the following command:
+   #!/bin/bash
+
+   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -m state 
--state ESTABLISHED,RELATED -j ACCEPT
 
 Review comment:
   @rhtyd I'm not sure this would work (in my CentOS 7.latest minimal setup) - 
simply because BY DEFAULT iptables rules/chains:
   - traffic has been redirected to INPUT_direct chain (empty for now, but we 
can add allow rules here - or we can add them as you suggested directly to 
INPUT chain), but...
   - after packet don't match any of the INPUT_direct chain it will go back for 
inspection to the INPUT chain - and here there is default DROP rule ! 
   - i.e. in example above I don't see TCP 8250 for CPVM/SSVM to Mgmt server - 
in my box didn't work until I explicitly added the rule...
   
   I can assume the difference in you setup (which I'm sure works for you) and 
my setup - is somewhere in the starting configuration point of iptables (before 
we add any rules) - in latest CentOS 7 that I installed, there is already bunch 
of rules and chains existing...
   
   I also don't  like firewall-cmd (again, it is present by default in latest 
Minimal installation) and I also love KISS method with iptables :) - but anyway 
is NOT enough 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to