odd issue after enabling the firewall

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

odd issue after enabling the firewall

msouthwick
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: odd issue after enabling the firewall

Shawn Heisey
On 5/10/2017 11:40 AM, msouthwick wrote:
> I have 2 zookeepers, 2 shards and 2 replica shards in my setup. Everything
> was working just fine until I enabled the firewall. I started by allowing
> ports: 1099, 2181, 2888, 3888, 8983. Now I get the following in the
> zookeeper log.
>
> 2017-05-10 11:04:11,300 [myid:1] - INFO
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] -
> Accepted socket connection from /151.155.70.24:43248
<snip>
> It looks to me that the port is being changed in this example to 43248. This
> number changes so I opened a range of ports from 43000 to 43300 in hopes
> that this would fix the issue but as you can see it didn't.

That's the source port on the client side of the TCP connection.  2181
is the destination port on the server side.

Although most firewalls are CAPABLE of restricting traffic by the source
port, it is rare for such restrictions to be configured intentionally.
The source port is basically unpredictable without extensive knowledge
of a client's TCP stack implementation.

The source port range for Linux machines is typically 32768 to 61000.
It can be configured, but unless you are absolutely certain that you
MUST configure this, you should not worry about changing it.  Other
client operating systems may use a different port range, but it will
generally have thousands of possible ports available.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: odd issue after enabling the firewall

Shawn Heisey
In reply to this post by msouthwick
On 5/10/2017 11:40 AM, msouthwick wrote:
> I have 2 zookeepers, 2 shards and 2 replica shards in my setup.

Followup, noticed this after I had sent the previous reply:  A ZK
ensemble of two servers is LESS fault tolerant than a single server.  If
*either* server were to go down, you would lose quorum.  You need three
servers for fault tolerance.  This is outlined in at least two places in
the ZK documentation.

Your mention of port 8983 (as well as shards and replicas) suggests that
you're running SolrCloud.  I believe that the need for three ZK servers
is also mentioned in the Solr documentation ... and if it's not, then I
need to make sure that gets added.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: odd issue after enabling the firewall

msouthwick
CONTENTS DELETED
The author has deleted this message.