GlusterFS firewall rules
Category : How-to
If you can, your storage servers should be in a secure zone in your network removing the need to firewall each machine. Inspecting packets incurs an overhead, not something you need on a high performance file server so you should not run a file server in an insecure zone. If you are using GlusterFS behind a firewall you will need to allow several ports for GlusterFS to communicate with clients and other servers. The following ports are all TCP:
Note: the brick ports have changed since version 3.4.
- 24007 – Gluster Daemon
- 24008 – Management
- 24009 and greater (GlusterFS versions less than 3.4) OR
- 49152 (GlusterFS versions 3.4 and later) – Each brick for every volume on your host requires it’s own port. For every new brick, one new port will be used starting at 24009 for GlusterFS versions below 3.4 and 49152 for version 3.4 and above. If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 49153).
- 38465 – 38467 – this is required if you by the Gluster NFS service.
The following ports are TCP and UDP:
- 111 – portmapper
8 Comments
khoi
30-Sep-2013 at 2:53 pmThere have been changes of port creation of volumes starting on glusterfs release 3.4.1
https://forge.gluster.org/gluster-docs-project/pages/GlusterFS_34_Release_Notes
james.coyle
30-Sep-2013 at 3:04 pmThanks for the info, Khoi – I have updated the post.
Michael Kennedy
19-Mar-2014 at 10:38 amThe NFS ports are incorrect. 38465:38467. The highlighted characters have been transposed.
http://gluster.org/community/documentation/index.php/Gluster_3.2:_Installing_GlusterFS_on_Red_Hat_Package_Manager_(RPM)_Distributions
james.coyle
19-Mar-2014 at 12:50 pmThanks for spotting the typo – post updated.
Alexander
25-Jun-2014 at 11:50 amAnother minor typo :)
If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 59153).
That should probably be:
If you have one volume with two bricks, you will need to open 24009 – 24010 (or 49152 – 49153).
james.coyle
25-Jun-2014 at 12:23 pmGood catch – thank you.
Ernie Dunbar
1-Feb-2017 at 4:48 pmThe problem with completely cutting your Gluster servers off from the rest of the internet, is that you need the internet to perform server upgrades in most cases.
Other than that, I suppose that’s a fine strategy.
Peter Crowther
9-Nov-2018 at 4:04 pmSome of the systems I manage are used for medical research and the like, and are therefore heavily regulated. We keep our package repositories in house, so that we know when we’ve updated them and can update on our test network before we take anything live. Use cases vary – I’d much rather have systems that were easier to update, but when you have lives on the line if you get it wrong then you put the effort into getting it right :-).