Go to main content

Installing and Configuring an Oracle® Solaris Cluster 4.4 Environment

Exit Print View

Updated: September 2019
 
 

How to Configure Packet Filter

Perform this procedure to configure the Packet Filter (PF) feature of Oracle Solaris software on the global cluster.


Note -  Only use PF with failover data services. The use of PF with scalable data services is not supported.

For more information about the PF feature, see Oracle Solaris Firewall in Securing the Network in Oracle Solaris 11.4.

Before You Begin

Read the guidelines and restrictions to follow when you configure PF in a cluster. See the "Packet Filter (PF) Feature" bullet item in Oracle Solaris OS Feature Requirements and Restrictions.

  1. Assume the root role.
  2. Add filter rules to the /etc/firewall/pf.conf file on all affected nodes.

    Observe the following guidelines and requirements when you add filter rules to Oracle Solaris Cluster nodes.

    • In the pf.conf file on each node, add rules to explicitly allow cluster interconnect traffic to pass unfiltered. Rules that are not interface specific are applied to all interfaces, including cluster interconnects. Ensure that traffic on these interfaces is not blocked mistakenly. If interconnect traffic is blocked, the PF configuration will interfere with cluster membership and infrastructure operations.

      For example, suppose the following rules are currently used:

      # Default block { tcp, udp } unless some later rule overrides
      block return in proto { tcp, udp } from any to any
      
      # Default block ping unless some later rule overrides
      block return-icmp in proto icmp all
      
      # Allow traffic on localhost
      pass in quick to localhost
      pass out quick from localhost

      To unblock cluster interconnect traffic, add the following rules to the beginning of the pf.conf file. The subnets used are for example only. Derive the subnets to use by using the ipadm show-addr | grep interface command.

      # ipadm show-addr | egrep "net1|net2|clprivnet"
      net1/?            static   ok           172.16.0.65/26
      net2/?            static   ok           172.16.0.129/26
      clprivnet0/?      static   ok           172.16.2.1/24
      

      The first interconnect net1 adapter is on subnet 172.16.0.64/26

      The second interconnect net2 adapter is on subnet 172.16.0.128/26

      The private network interface clprivnet0 is on subnet 172.16.2.0/24

      The PF rules corresponding to networks derived are:

      # Unblock cluster traffic on 172.16.0.64/26 subnet (physical interconnect)
      pass in quick proto { tcp, udp } from 172.16.0.64/26 to any flags any
      pass out quick proto { tcp, udp } from 172.16.0.64/26 to any flags any
      
      # Unblock cluster traffic on 172.16.0.128/26 subnet (physical interconnect)
      pass in quick proto { tcp, udp } from 172.16.0.128/26 to any flags any
      pass out quick proto { tcp, udp } from 172.16.0.128/26 to any flags any
      
      # Unblock cluster traffic on 172.16.2.0/24 (clprivnet0 subnet)
      pass in quick proto { tcp, udp } from 172.16.2.0/24 to any flags any
      pass out quick proto { tcp, udp } from 172.16.2.0/24 to any flags any
      
    • You can specify either the adapter name or the IP address for a cluster private network. For example, the following rule specifies a cluster private network by its adapter's name:

      # Allow all traffic on cluster private networks.
      pass in quick on net1 all flags any
      …
    • Oracle Solaris Cluster software fails over network addresses from node to node. No special procedure or code is needed at the time of failover.

    • All filtering rules that reference IP addresses of logical hostname and shared address resources must be identical on all cluster nodes.

    • Rules on a standby node will reference a nonexistent IP address. This rule is still part of the PF's active rule set and will become effective when the node receives the address after a failover.

    • All filtering rules must be the same for all NICs in the same IPMP group. In other words, if a rule is interface-specific, the same rule must also exist for all other interfaces in the same IPMP group.

    • All cluster specific filtering rules must be added prior to configuring Oracle Solaris Cluster if PF has already been enabled on the cluster nodes.

    For more information about PF rules, see the pf.conf(7) man page.

Next Steps

Configure Oracle Solaris Cluster software on the cluster nodes. Go to Establishing a New Global Cluster or New Global-Cluster Node.