The firewall hasn't changed during the upgrade, from back when our srm
was working (the good old days..). All our dcache machines are stuck
into the same router, physically in the same place, so there's no
intervening firewalls or boxes. Afraid I'm lacking on spare kit at the
mo to try your idea of diffing the two configurations. Will try the
firewall drop/dcache restart after lunch. As I can't disconnect those
machines from the internet easily (no easy physical access to those
machines) then it will have to be just done as quickly as possible.
I've stuck my firewall configs below, for the admin node and a pool
node, so you chaps can check for problems.
cheers,
matt
ADMIN NODE firewall (fal-pygrid-23-29 are our pool nodes. No firewall
between them):
[root@fal-pygrid-20 root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- fal-pygrid-19.lancs.ac.uk anywhere
state NEW tcp dpt:ssh
ACCEPT tcp -- lapc.lancs.ac.uk anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- lapd1.lancs.ac.uk anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- lapa1.lancs.ac.uk anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- pyc008000002.lancs.ac.uk anywhere state
NEW tcp dpt:ssh
ACCEPT udp -- ns1.lancs.ac.uk anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- dns.lancs.ac.uk anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- 127.127.1.0 anywhere udp spt:ntp dpt:ntp
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- fal-pygrid-23.lancs.ac.uk anywhere
ACCEPT all -- fal-pygrid-24.lancs.ac.uk anywhere
ACCEPT all -- fal-pygrid-25.lancs.ac.uk anywhere
ACCEPT all -- fal-pygrid-26.lancs.ac.uk anywhere
ACCEPT all -- fal-pygrid-27.lancs.ac.uk anywhere
ACCEPT all -- fal-pygrid-28.lancs.ac.uk anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:2811
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpts:20000:25000
ACCEPT tcp -- anywhere anywhere tcp dpt:2288
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:2135
ACCEPT tcp -- fal-pygrid-17.lancs.ac.uk anywhere
state NEW tcp dpt:8649
ACCEPT all -- anywhere anywhere PKTTYPE = multicast
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
POOL NODE FIREWALL (OPEN TO ADMIN NODE):
[root@fal-pygrid-23 root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- fal-pygrid-19.lancs.ac.uk anywhere
state NEW tcp dpt:ssh
ACCEPT tcp -- lapd1.lancs.ac.uk anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- 148.88.81.117 anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- 148.88.81.64 anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- 148.88.90.114 anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- fal-pygrid-13.lancs.ac.uk anywhere
state NEW tcp dpt:ssh
ACCEPT tcp -- fal-pygrid-20.lancs.ac.uk anywhere
state NEW tcp dpt:ssh
ACCEPT udp -- ns1.lancs.ac.uk anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- dns.lancs.ac.uk anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- 127.127.1.0 anywhere udp spt:ntp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:2811
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpts:20000:25000
ACCEPT all -- fal-pygrid-20.lancs.ac.uk anywhere
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
|