Controlling Network Access for Services in Availability Domains
When a cluster is hosted in a data center in an availability domain, you
can use bdacli firewall
commands to control network access through the Oracle Big Data Cloud Service firewall. Any port on any node can be opened or closed.
Managing the Firewall With bdacli firewall Commands
You must have administrative privileges to configure the firewall.
To configure the firewall, use SSH to connect to the third node of the
cluster as the root
user, and use bdacli firewall
commands.
Note:
You can also configure the firewall by using graphical tools in Oracle Big Data Manager. See Configuring the Firewall Through Oracle Big Data Manager.Syntax
bdacli firewall command [arguments]
Commands
-
list
-
Lists all rules in the cluster. The
–json
flag returns the output formatted in JavaScript Object Notation (JSON).Syntax:
bdacli firewall list [--json]
# bdacli firewall list BDCS Network Firewall. Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 ID | Source | Dest |Port | Protocol | Comments ---------------------------------------------------------------------------- 1 | 192.168.0.0/24 | scaj53bda06 | cm | all | Cloudera manager rule 2 | 192.168.0.0/24 | scaj53bda08 | cm | all | Cloudera manager rule 3 | 192.168.0.0/24 | scaj53bda08 | hue | all | Hue rule 4 | 192.168.0.0/24 | scaj53bda06 | 8080 | all | Webserver rule
-
add
|addbulk
-
Adds a rule or rules to the cluster IP rules. Use
add
to add a single rule andaddbulk
to add multiple rules in a single command.Syntax::
bdacli firewall add src-ipaddr-1 [/mask] node-name dest-port protocol --comment comment
bdacli firewall addbulk --rule src-ipaddr-1 [/mask] node-name dest-port protocol --comment comment --rule src-ipaddr-2 [/mask] node-name-2 dest-port-2 protocol-2 --comment comment
Examples:
# bdacli firewall add 192.168.0.0/24 scaj53bda08 cm all --comment "Cloudera manager rule" BDCS Network Firewall. Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 Adding single rule. File doesn't exists, creating file... Rule added. Distributing configuration, please wait. Configuration reloaded.
# bdacli firewall addbulk --rule 192.168.0.0/24 scaj53bda08 cm all --comment "Cloudera manager rule" --rule 1 92.168.0.0/24 scaj53bda08 hue all --comment "Hue rule" --rule 192.168.0.0/24 scaj53bda06 8080 all --comment "Webserver rule" BDCS Network Firewall. Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 Adding multiple rules. Rule added. Rule added. Rule added. Distributing configuration, please wait. Configuration reloaded.
-
replace
-
Deletes all rules on firewall and adds the rules to the cluster ip rules. Multiple lines can be added.
Syntax:
bdacli firewall replace rule-id src-ipaddr [/mask] node-name dest-port? protocol --comment comment
bdacli firewall replaceall --rule src-ipaddr-1 [/mask] dest-ipaddr-1|node-name-1 dest-port-1 protocol-1 --comment comment --rule src-ipaddr-2 [/mask] dest-ipaddr-2|node-name-2 dest-port-2 protocol-2 --rule src-ipaddr-3 [/mask] dest-ipaddr-3|node-name-3 dest-port-3 protocol-3 --comment comment
Example:
# bdacli firewall replace 1 192.168.0.0/24 scaj53bda06 10001 all --comment "Custom service rule" BDCS Network Firewall. Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 Replacing a single rule. Rule deleted. Rule added. Distributing configuration, please wait. Configuration reloaded.
Example:
# bdacli firewall replaceall --rule 192.168.0.0/24 scaj53bda08 cm all --comment "Cloudera manager rule" --rule 192.168.0.0/24 scaj53bda08 hue all --comment "Hue rule" --rule 192.168.0.0/24 scaj53bda06 8080 all --comment "Webserver rule" BDCS Network Firewall. Using nodes: scaj53bda06 scaj53bda07 scaj53bda08 scaj53bda09 Firewall configuration back to factory settings. Adding new rules. File doesn't exists, creating file... Rule added. Rule added. Rule added. Distributing configuration, please wait. Configuration reloaded.
-
delete
-
Deletes a single rule on the cluster.
Syntax:
bdacli firewall delete rule-id
-
reset
-
Deletes all customer-made rules on the cluster.
Syntax:
bdacli firewall reset
-
reload
-
Reprocesses
firewall json
to generate iptables script and runs new script.Syntax:
bdacli firewall reload
Arguments
The following table describe the arguments to the above commands.
Argument | Description |
---|---|
src-ipaddr[/mask] |
The IP address of the incoming connection, in the
format |
node-name |
The hostname (of the node) that will receive the
incoming connection, or the keyword |
dest-port |
The destination port that will receive the
connection. The number can be from A range can be defined in format
Keywords |
protocol |
The protocol of the connection. It can be one of the
following: |
comment |
Comments are added in IP tables and in the
|