[英]How to secure a Galera Node using Firewalld?
I'm having trouble securing the nodes in my Galera cluster.我在保护 Galera 集群中的节点时遇到问题。 I was just opening up the required ports on each node and the cluster worked fine.
我只是在每个节点上打开所需的端口,集群运行良好。 I now want to restrict access further so only the other nodes are allowed to communicate with the node, I decided to set up a zone for this when I use this zone the node cannot leave the cluster cleanly or rejoin the cluster.
我现在想进一步限制访问,因此只允许其他节点与该节点通信,我决定为此设置一个区域,当我使用此区域时,节点无法干净地离开集群或重新加入集群。 I have to change back to my old zone to get it working again.
我必须改回我的旧区域才能让它再次工作。 I'm not great with firewall rules so I'm assuming I've done something wrong in the setup of the zone, any advice would be greatly appreciated.
我对防火墙规则不是很好,所以我假设我在区域设置中做错了,任何建议都将不胜感激。
I'm using Almalinux 8, MariaDB 10.6, and Firewalld.我正在使用 Almalinux 8、MariaDB 10.6 和 Firewalld。
Here is a copy of my zone XML file (I have changed the IP's)这是我的区域 XML 文件的副本(我已经更改了 IP)
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>A_Node</short>
<description>Zone for node of Galera Cluster</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<!-- Node A Rules -->
<rule family="ipv4">
<source address="3.3.3.3"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node B Rules -->
<rule family="ipv4">
<source address="4.4.4.4"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node C Rules -->
<rule family="ipv4">
<source address="5.5.5.5"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node D Rules -->
<rule family="ipv4">
<source address="6.6.6.6"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4568" protocol="tcp"/>
</rule>
</zone>
I worked it out, I was missing the <accept/>
tag in my rules.我解决了,我的规则中缺少
<accept/>
标签。
<rule family="ipv4">
<source address="1.1.1.1/24"/>
<port port="3306" protocol="tcp"/>
<accept/>
</rule>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.