perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi Laurie,

I created an issue for us to mention this topic in our docs. I imagine you are not alone in wanting toskip the jump to firewalld right away especially when you have config management sopftware that already handlesiptables. One option worth mentioning is that if you don't really use the Toolkit GUI, you may want to install perfsonar-core instead of perfsonar-toolkit since that does not pull in the firewall stuff by default. Then you can let ansible just handle things on its own. 

Thanks,

Andy

On April 12, 2017 at 7:52:33 AM, Laurie Zirkle () wrote:

The issue we have is our cobbler/ansible standard uses iptables rather
than firewalld. This causes us issues where we (for now, because it's
still RC rather than production) manually stop firewalld and start
iptables.

--
Laurie


On Tue, Apr 11, 2017 at 3:16 PM, Hyojoon Kim <> wrote:
> Hi all,
>
> I just wanted to share that this still seems to be the case: that I have to
> run "/usr/lib/perfsonar/script/configure_firewall install” manually to get
> the firewall rules correctly installed in the perfSONAR host, with perfSONAR
> 4.0 RC3 on CentOS 7. Reboot does not seem to run the script.
>
> Probably this is not the case when you get an pre-made perfSONAR CentOS ISO.
> However, in my environment I had my own CentOS 7 and installed perfSONAR 4.0
> RC3 via yum (perfsonar-toolkit bundle) separately
> (http://docs.perfsonar.net/release_candidates/4.0rc3/install_centos.html).
> In this case, I had to manually run that command.
>
> Thanks,
> Joon
>
> On Nov 17, 2016, at 1:34 PM, Michael Petry <> wrote:
>
> Symon,
> Thanks for the followup.
>
> Firewall-cmd does give the expected results. The issue is that I had to
> first start firewalld and also run
> "/usr/lib/perfsonar/script/configure_firewall install” by hand. The docs
> leave a reader with the impression that it
> is all enabled and configured by default. Also the docs (listed as part of
> the 4.0RC2 candidate) are very
> iptable centric while the script actions are centered around firewall-cmd.
>
> The Fail2ban setup has a similar conflict on docs vs. action.
>
> I wanted to report it as an issue so it doesn’t get lost before final
> release.
>
> Migrating to Centos7 brings lots of changes that may trip some people up. I
> welcome the changes, especially the improved network stack performance.
>
> Thanks again,
> Mike
>
>
> firewall-cmd --list-all
> public (default, active)
> interfaces: p1p1
> sources:
> services: bwctl dhcpv6-client http https ndt npad ntp oppd owamp ssh
> traceroute
> ports: 6001-6200/tcp 5601-5900/tcp 8760-9960/udp 5601-5900/udp
> 6001-6200/udp 5301-5600/udp 5001-5300/tcp 8760-9960/tcp 5001-5300/udp
> 5301-5600/tcp
> masquerade: no
> forward-ports:
> icmp-blocks:
> rich rules:
>
>
> On Nov 17, 2016, at 2:59 AM, Szymon Trocha <>
> wrote:
>
> W dniu 17.11.2016 o 08:57, Szymon Trocha pisze:
>
> W dniu 16.11.2016 o 17:11, Michael Petry pisze:
>
> Reading the docs at:
> http://docs.perfsonar.net/release_candidates/4.0rc2/manage_security.html
>
> left me with the impression that iptables/firewalld was enabled with the
> specified default rules.
> That doesn't seem to be the case when installing/booting from the ISO image
> 4.0 RC2 Nov 1
>
> Is that the intent or did I misread the docs/release notes?
>
> Thanks,
> Mike
>
>
> Hi Mike,
>
> What do you get when you issue:
>
> firewall-cmd --get-active-zones ?
>
>
> Sorry, it should have been: firewall-cmd --list-all
>
>
> --
> Szymon Trocha
>
> Poznań Supercomputing & Networking Center
> Tel. +48 618582022 ::: http://noc.pcss.pl
>
>
>