如何使用 Firewalld 保護 Galera 節點?
[英]How to secure a Galera Node using Firewalld?
問題描述
我在保護 Galera 集群中的節點時遇到問題。 我只是在每個節點上打開所需的端口,集群運行良好。 我現在想進一步限制訪問,因此只允許其他節點與該節點通信,我決定為此設置一個區域,當我使用此區域時,節點無法干凈地離開集群或重新加入集群。 我必須改回我的舊區域才能讓它再次工作。 我對防火牆規則不是很好,所以我假設我在區域設置中做錯了,任何建議都將不勝感激。
我正在使用 Almalinux 8、MariaDB 10.6 和 Firewalld。
這是我的區域 XML 文件的副本(我已經更改了 IP)
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>A_Node</short>
<description>Zone for node of Galera Cluster</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<!-- Node A Rules -->
<rule family="ipv4">
<source address="3.3.3.3"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node B Rules -->
<rule family="ipv4">
<source address="4.4.4.4"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node C Rules -->
<rule family="ipv4">
<source address="5.5.5.5"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node D Rules -->
<rule family="ipv4">
<source address="6.6.6.6"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4568" protocol="tcp"/>
</rule>
</zone>
1 個解決方案
解決方案1
0 2022-09-05 01:17:24
我解決了,我的規則中缺少<accept/>標簽。
<rule family="ipv4">
<source address="1.1.1.1/24"/>
<port port="3306" protocol="tcp"/>
<accept/>
</rule>
如何使用 Ansible 使用 firewalld 模塊設置默認服務端口/協議?
[英]How to set default service port/protocol with firewalld module using Ansible?
如何將 iptables-service 規則轉換為 firewalld 規則?
[英]How to convert iptables-service rules into firewalld rules?
如何保護Node App免於直接訪問和正確的Node安裝方式
[英]How to secure Node App from direct access and right way of installing Node
我必須以root用戶身份運行node才能發送icmp echo包以進行ping-如何使其安全?
[英]I have to run node as root to send icmp echo packages for ping - how can I make it secure?
OpenMPI Secure SHell如何從主節點進入所有計算節點?
[英]How does OpenMPI Secure SHell into all the compute nodes from the master node?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何在Centos 7中使用firewalld啟用MPI mpirun
如何使用 Ansible 使用 firewalld 模塊設置默認服務端口/協議?
firewalld 端口轉發到 k8s 節點端口不起作用
如何將 iptables-service 規則轉換為 firewalld 規則?
如何保護Node App免於直接訪問和正確的Node安裝方式
無法在 centos 7 上啟動 firewalld
我必須以root用戶身份運行node才能發送icmp echo包以進行ping-如何使其安全?
如何使用TrustZone從安全世界中反思正常世界?
OpenMPI Secure SHell如何從主節點進入所有計算節點?
安全模式可以訪問安全/非安全內存如何?
相關標簽