Firewall Configuration with FirewallD

The firewall daemon, or FirewallD, is an interface for dynamically managing firewalls on Linux operating systems. It allows you to set up, maintain and inspect IPv4 and IPv6 firewall rules.

FirewallD includes support for defining zones. This allows you to set the trust level of a given network connection or interface. For example, when deploying nodes that connect to each other over the internet–rather than a private network–you might configure your firewall around the public zone. This assumes that other computers on the network are untrusted and only accept designated connections.

For more information on FirewallD, see the Documentation.

../_images/training.jpg

Opening Ports for Galera Cluster

Galera Cluster requires four open ports for replication over TCP. To use multicast replication, it also requires one for UDP transport. In order for this to work over FirewallD, you also need to add the database service to the firewall rules.

To enable the database service for FirewallD, you would enter something like the following at the command-line:

# firewall-cmd --zone=public --add-service=mysql

Next, you will need to open the TCP ports for Galera Cluster. Do this by executing the following from the command-line:

# firewall-cmd --zone=public --add-port=3306/tcp
# firewall-cmd --zone=public --add-port=4567/tcp
# firewall-cmd --zone=public --add-port=4568/tcp
# firewall-cmd --zone=public --add-port=4444/tcp

Optionally, if you would like to use multicast replication, execute the following from the command-line to open UDP transport on 4567:

# firewall-cmd --zone=public --add-port=4567/udp

These commands dynamically configure FirewallD. Your firewall will then permit the rest of the cluster to connect to the node hosted on the server. Repeat the above commands on each server. Keep in mind, changes to the firewall made by this method are not persistent. When the server reboots, FirewallD will return to its default state.

Making Firewall Changes Persistent

The commands given in the above section allow you to configure FirewallD on a running server and update the firewall rules without restarting. However, these changes are not persistent. When the server restarts, FirewallD reverts to its default configuration. To change the default configuration, a somewhat different approach is required:

First, enable the database service for FirewallD by entering the following from the command-line:

# firewall-cmd --zone=public --add-service=mysql \
      --permanent

Now, you will need to open the TCP ports for Galera Cluster. To do so, enter the following lines from the command-line:

# firewall-cmd --zone=public --add-port=3306/tcp \
      --permanent
# firewall-cmd --zone=public --add-port=4567/tcp \
      --permanent
# firewall-cmd --zone=public --add-port=4568/tcp \
      --permanent
# firewall-cmd --zone=public --add-port=4444/tcp \
      --permanent

If you would like to use multicast replication, execute the following command. It will open UDP transport on 4567.

# firewall-cmd --zone=public --add-port=4567/udp \
      --permanent

Now you just need to reload the firewall rules, maintaining the current state information. To do this, executing the following:

# firewall-cmd --reload

These commands modify the default FirewallD settings and then cause the new settings to take effect, immediately. FirewallD will then be configured to allow the rest of the cluster to access the node. The configuration remains in effect after reboots. You’ll have to repeat these commands on each server.