如何使用 Firewalld 保护 Galera 节点？

Question

I'm having trouble securing the nodes in my Galera cluster. I was just opening up the required ports on each node and the cluster worked fine. I now want to restrict access further so only the other nodes are allowed to communicate with the node, I decided to set up a zone for this when I use this zone the node cannot leave the cluster cleanly or rejoin the cluster. I have to change back to my old zone to get it working again. I'm not great with firewall rules so I'm assuming I've done something wrong in the setup of the zone, any advice would be greatly appreciated.

I'm using Almalinux 8, MariaDB 10.6, and Firewalld.

Here is a copy of my zone XML file (I have changed the IP's)

<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <short>A_Node</short>
  <description>Zone for node of Galera Cluster</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>

<!-- Node A Rules -->
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <service name="mysql"/>
  </rule>
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <port port="3306" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <port port="4444" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <port port="4567" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <port port="4567" protocol="udp"/>
  </rule>
  <rule family="ipv4">
    <source address="3.3.3.3"/>
    <port port="4568" protocol="tcp"/>
  </rule>

<!-- Node B Rules -->
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <service name="mysql"/>
  </rule>
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <port port="3306" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <port port="4444" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <port port="4567" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <port port="4567" protocol="udp"/>
  </rule>
  <rule family="ipv4">
    <source address="4.4.4.4"/>
    <port port="4568" protocol="tcp"/>
  </rule>

<!-- Node C Rules -->
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <service name="mysql"/>
  </rule>
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <port port="3306" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <port port="4444" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <port port="4567" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <port port="4567" protocol="udp"/>
  </rule>
  <rule family="ipv4">
    <source address="5.5.5.5"/>
    <port port="4568" protocol="tcp"/>
  </rule>

<!-- Node D Rules -->
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <service name="mysql"/>
  </rule>
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <port port="3306" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <port port="4444" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <port port="4567" protocol="tcp"/>
  </rule>
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <port port="4567" protocol="udp"/>
  </rule>
  <rule family="ipv4">
    <source address="6.6.6.6"/>
    <port port="4568" protocol="tcp"/>
  </rule>
</zone>

Answer 1

I worked it out, I was missing the <accept/> tag in my rules.

<rule family="ipv4">
  <source address="1.1.1.1/24"/>
  <port port="3306" protocol="tcp"/>
  <accept/>
</rule>