1. Using Oracle Big Data Cloud Service
  2. Manage the Life Cycle of Oracle Big Data Cloud Service
  3. Control Network Access to Services
  4. Controlling Network Access for Services in Availability Domains

Controlling Network Access for Services in Availability Domains

When a cluster is hosted in a data center in an availability domain, you can use bdacli firewall commands to control network access through the Oracle Big Data Cloud Service firewall. Any port on any node can be opened or closed.

Managing the Firewall With bdacli firewall Commands

You must have administrative privileges to configure the firewall.

To configure the firewall, use SSH to connect to the third node of the cluster as the root user, and use bdacli firewall commands.

Note:

You can also configure the firewall by using graphical tools in Oracle Big Data Manager. See Configuring the Firewall Through Oracle Big Data Manager.

Syntax

bdacli firewall command [arguments]

Commands

list

Lists all rules in the cluster. The –json flag returns the output formatted in JavaScript Object Notation (JSON).

Syntax:

bdacli firewall list [--json]
# bdacli firewall list 
BDCS Network Firewall. 
Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09  
ID | Source         | Dest         |Port    | Protocol | Comments 
---------------------------------------------------------------------------- 
1  | 192.168.0.0/24  | scaj53bda06   | cm      | all   | Cloudera manager rule 
2  | 192.168.0.0/24 | scaj53bda08   | cm      | all   | Cloudera manager rule 
3  | 192.168.0.0/24  | scaj53bda08   | hue    | all   | Hue rule 
4  | 192.168.0.0/24  | scaj53bda06   | 8080  | all   | Webserver rule
add | addbulk

Adds a rule or rules to the cluster IP rules. Use addto add a single rule and addbulk to add multiple rules in a single command.

Syntax::

bdacli firewall add 
	src-ipaddr-1 [/mask] 
	node-name 
	dest-port
	protocol 
	--comment comment 

bdacli firewall addbulk 
	--rule 
		src-ipaddr-1 [/mask] 
		node-name 
		dest-port 
		protocol 
	--comment comment 
	--rule 
		src-ipaddr-2 [/mask] 
		node-name-2 
		dest-port-2 
		protocol-2
	--comment comment

Examples:

# bdacli firewall add 192.168.0.0/24 scaj53bda08 cm all 
--comment "Cloudera manager rule" 
BDCS Network Firewall. 
Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 
Adding single rule. 
File doesn't exists, creating file... 
Rule added. 
Distributing configuration, please wait. 
Configuration reloaded.
# bdacli firewall addbulk --rule 192.168.0.0/24 
scaj53bda08 cm all --comment "Cloudera manager rule" --rule 1
92.168.0.0/24 scaj53bda08 hue all --comment "Hue rule" --rule 
192.168.0.0/24 scaj53bda06 8080 all --comment "Webserver rule" 
BDCS Network Firewall. 
Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 
Adding multiple rules. 
Rule added. 
Rule added. 
Rule added. 
Distributing configuration, please wait. 
Configuration reloaded.
replace

Deletes all rules on firewall and adds the rules to the cluster ip rules. Multiple lines can be added.

Syntax:

bdacli firewall replace 
	rule-id 
		src-ipaddr [/mask] 
		node-name
    dest-port?
		protocol
	--comment comment 

bdacli firewall replaceall 
	--rule 
		src-ipaddr-1 [/mask] 
		dest-ipaddr-1|node-name-1
		dest-port-1
		protocol-1
	--comment comment 
	--rule 
		src-ipaddr-2 [/mask] 
		dest-ipaddr-2|node-name-2
		dest-port-2
		protocol-2
	--rule 
		src-ipaddr-3 [/mask] 
		dest-ipaddr-3|node-name-3
		dest-port-3
		protocol-3
	--comment comment

Example:

# bdacli firewall replace 1 192.168.0.0/24 scaj53bda06 
10001 all --comment "Custom service rule" 
BDCS Network Firewall. 
Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 
Replacing a single rule. 
Rule deleted. 
Rule added. 
Distributing configuration, please wait. 
Configuration reloaded.

Example:

# bdacli firewall replaceall --rule 192.168.0.0/24 
scaj53bda08 cm all --comment "Cloudera manager rule" --rule 
192.168.0.0/24 scaj53bda08 hue all --comment "Hue rule" --rule 
192.168.0.0/24 scaj53bda06 8080 all --comment "Webserver rule" 
BDCS Network Firewall. 
Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 
Firewall configuration back to factory settings. 
Adding new rules. 
File doesn't exists, creating file... 
Rule added. 
Rule added. 
Rule added. 
Distributing configuration, please wait. 
Configuration reloaded.
delete

Deletes a single rule on the cluster.

Syntax:

bdacli firewall delete rule-id
reset

Deletes all customer-made rules on the cluster.

Syntax:

bdacli firewall reset
reload

Reprocesses firewall json to generate iptables script and runs new script.

Syntax:

bdacli firewall reload

Arguments

The following table describe the arguments to the above commands.

Argument Description
src-ipaddr[/mask]

The IP address of the incoming connection, in the format AA.BB.CC.DD in dot decimal notation. A whole network can be added, by adding the prefix mask with the notation AA.BB.CC.DD/EE.

node-name

The hostname (of the node) that will receive the incoming connection, or the keyword all to use client interface of all nodes. Hostname can be a full domain or just the name of the node.

dest-port

The destination port that will receive the connection. The number can be from 1 to 65535.

A range can be defined in format a:b or you can use the keyword all to use all ports.

Keywords hue and cm are valid for ports 8888 and 7183 respectively.

protocol

The protocol of the connection. It can be one of the following: tcp, udp, icmp, or the keyword all as a wildcard for any protocol.

comment

Comments are added in IP tables and in the firewall.json file. They have no functional value. It is just in case the administrator wants to add a description. Comments are optionally added in replace and add operations with the flag –comment.