perfSONAR User Q&A and Other Discussion

[Laurie Zirkle <>]

The issue we have is our cobbler/ansible standard uses iptables rather
than firewalld.  This causes us issues where we (for now, because it's
still RC rather than production) manually stop firewalld and start
iptables.

--
Laurie


On Tue, Apr 11, 2017 at 3:16 PM, Hyojoon Kim 
<>
 wrote:
> Hi all,
>
> I just wanted to share that this still seems to be the case: that I have to
> run "/usr/lib/perfsonar/script/configure_firewall install” manually to get
> the firewall rules correctly installed in the perfSONAR host, with perfSONAR
> 4.0 RC3 on CentOS 7. Reboot does not seem to run the script.
>
> Probably this is not the case when you get an pre-made perfSONAR CentOS ISO.
> However, in my environment I had my own CentOS 7 and installed perfSONAR 4.0
> RC3 via yum (perfsonar-toolkit bundle) separately
> (http://docs.perfsonar.net/release_candidates/4.0rc3/install_centos.html).
> In this case, I had to manually run that command.
>
> Thanks,
> Joon
>
> On Nov 17, 2016, at 1:34 PM, Michael Petry 
> <>
>  wrote:
>
> Symon,
> Thanks for the followup.
>
> Firewall-cmd does give the expected results.  The issue is that I had to
> first start firewalld and also run
> "/usr/lib/perfsonar/script/configure_firewall install” by hand.  The docs
> leave a reader with the impression that it
> is all enabled and configured by default.  Also the docs (listed as part of
> the 4.0RC2 candidate) are very
> iptable centric while the script actions are centered around firewall-cmd.
>
> The Fail2ban setup has a similar conflict on docs vs. action.
>
> I wanted to report it as an issue so it doesn’t get lost before final
> release.
>
> Migrating to Centos7 brings lots of changes that may trip some people up. I
> welcome the changes, especially the improved network stack performance.
>
> Thanks again,
> Mike
>
>
> firewall-cmd  --list-all
> public (default, active)
>   interfaces: p1p1
>   sources:
>   services: bwctl dhcpv6-client http https ndt npad ntp oppd owamp ssh
> traceroute
>   ports: 6001-6200/tcp 5601-5900/tcp 8760-9960/udp 5601-5900/udp
> 6001-6200/udp 5301-5600/udp 5001-5300/tcp 8760-9960/tcp 5001-5300/udp
> 5301-5600/tcp
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
>
> On Nov 17, 2016, at 2:59 AM, Szymon Trocha 
> <>
> wrote:
>
> W dniu 17.11.2016 o 08:57, Szymon Trocha pisze:
>
> W dniu 16.11.2016 o 17:11, Michael Petry pisze:
>
> Reading the docs at:
> http://docs.perfsonar.net/release_candidates/4.0rc2/manage_security.html
>
> left me with the impression that iptables/firewalld was enabled with the
> specified default rules.
> That doesn't seem to be the case when installing/booting from the ISO image
> 4.0 RC2 Nov 1
>
> Is that the intent or did I misread the docs/release notes?
>
> Thanks,
> Mike
>
>
> Hi Mike,
>
> What do you get when you issue:
>
> firewall-cmd --get-active-zones ?
>
>
> Sorry, it should have been: firewall-cmd --list-all
>
>
> --
> Szymon Trocha
>
> Poznań Supercomputing & Networking Center
> Tel. +48 618582022 ::: http://noc.pcss.pl
>
>
>