Clustering behind a firewall

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Clustering behind a firewall

james.rivettcarnac

I'm having some issues with clustering and a firewall.  During setup of the cluster over tcp, epmd opens a bunch of ephemeral ports > 30000 that vanish after the clustering is set up.  If my iptable rules DROP by default, these hang up on the tcp handshake.

I can't find any reference for ports like this being used. My inet_dist_listen_min/max work (when i turn off the firewall, the correct port is being used) but they have no effect on these random ports.


Some output:

[vagrant@queue1 ~]$ sudo iptables --list --verbose -n

Chain INPUT (policy DROP 61566 packets, 3702K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:9100:9105

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:25672:25682

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25672

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4369

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

   85  4616 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

95330   16M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:15672

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5673

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5672

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       192.168.50.3         0.0.0.0/0



And for my netstat:


[vagrant@queue1 ~]$ sudo netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State

tcp        0      0 192.168.50.3:15672          192.168.50.1:56986          ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56983          ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56982          ESTABLISHED

tcp        0      1 192.168.50.3:48424          queue0.zombiehorde.loc:epmd SYN_SENT

tcp        0      0 192.168.50.3:15672          192.168.50.1:56342          ESTABLISHED

tcp        0      0 queue1.zombiehorde.loc:epmd queue1.zombiehorde.lo:42469 ESTABLISHED

tcp        0      0 10.0.2.15:ssh               10.0.2.2:53317              ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56985          ESTABLISHED

tcp        0      0 queue1.zombiehorde.lo:42469 queue1.zombiehorde.loc:epmd ESTABLISHED

tcp        0      1 192.168.50.3:53772          queue0.zombiehorde.loc:epmd SYN_SENT



Note - the SYN_SENT (right when I restart the service, there are a bunch more of these.  I assume epmd throttles down the connection attempts after number of failed attempts)


Best regards,


James


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Clustering behind a firewall

Matthias Radestock-3
On 22/05/14 03:06, [hidden email] wrote:
> I'm having some issues with clustering and a firewall.  During setup of
> the cluster over tcp, epmd opens a bunch of ephemeral ports > 30000 that
> vanish after the clustering is set up.

These are *outbound* ports, i.e. the local end of a connection to a
remote epmd.

I don't think there's any way to control the allocation of these ports.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss