Am trying to set up a couple of 2.5.0 nodes on CentOS boxes. I have opened the recommended ports:
firewall-cmd --add-port=47500-47502/tcp firewall-cmd --add-port=47100-47200/tcp firewall-cmd --add-port=47400/udp I see an initial UDP packet, to the ignite multicast group address, received correctly on destination port 47400. However then the remote node (x.y.2.84 in the following trace) sends a second UDP packet from 47400 to a random port on the local machine (x.y.2.99). Giving the following firewall trace and failure to join the cluster. Jun 29 11:00:21 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00 SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=30905 DF PROTO=UDP SPT=47400 DPT=35072 LEN=523 Jun 29 11:01:22 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00 SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=65234 DF PROTO=UDP SPT=47400 DPT=47668 LEN=523 Jun 29 11:01:22 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=08:00:27:6c:dd:8f:08:00:27:96:51:2f:08:00 SRC=x.y.2.84 DST=x.y.2.99 LEN=543 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=47400 DPT=40812 LEN=523 Obviously I don't know the address of the remote machine in advance. Or the incoming port number. The only option seems to be opening the entire random port range to UDP traffic: firewall-cmd --add-port=1024-65535/udp This works and the cluster is joined. However, even if this could also be limited to source port 47400, it is dangerous. Remote malware could use that port to access other services. Is there a better way to do this? The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.