No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor BCManager 6.5.0 eReplication User Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Firewall

Configuring the Firewall

For details about how to enable firewall ports in different operating systems, see the following steps:

If the firewall is improperly configured, system communication exceptions may occur.

Windows (the Server server)

This part uses Windows Server 2008 R2 as an example.

  • If port blacklist is configured for the firewall of the operating system running on the eReplication Server, adding resources to eReplication mail fail because Windows checks the blacklist preferentially. You are advised to delete the configured port blacklist and configure the IP address whitelist to enable the firewall.
  • An IP address or IP address segment cannot be in the whitelist and blacklist at the same time. Otherwise, only configurations of the blacklist are effective.
  1. Log in to the production application server as an administrator.
  2. Choose Start > Control Panel.
  3. Click Windows Firewall in the dialog box that is displayed.
  4. Click Advanced settings in the dialog box that is displayed.
  5. In the Windows Firewall with Advanced Security dialog box, right-click Inbound Rules. In the shortcut button area, click New Rule.
  6. In the What type of rule would you like to create? area, select Custom.
  7. Click Next and select All programs.
  8. Click Next.
  9. Click Next.
  10. In the Which local IP addresses does this rule apply to? area, select Any IP address.
  11. In the Which remote IP addresses does this rule apply to? area, select These IP addresses.
  12. Click Add.
  13. In the IP Address dialog box that is displayed, select This IP address or subnet or This IP address range to add a device IP address or IP address segment that can access the operating system after the firewall is enabled.

    If you have accessed the operating system in remote mode, perform 11 to 13 to add the local IP address to the IP whitelist. Otherwise, the remote connection will be automatically disconnected immediately after the firewall is enabled.



  14. Click OK and add the IP addresses to the These IP addresses area.
  15. Click Next and select Allow the connection.
  16. Click Next.
  17. Click Next and enter the rule name in Name.
  18. Click Finish.
  19. In the Windows Firewall dialog box that is displayed, check whether the firewall is enabled.

    • If yes, no further action is required.
    • If no, click Turn Windows Firewall on or off in the navigation tree, select Turn on Windows Firewall, and click OK.

    After the firewall is enabled, restart the eReplication Server service by performing the following steps:

    • Mode 1:
      1. Go to the installation path\bin directory of the eReplication Server.
      2. Double-click the startSystem.vbe file.
    • Mode 2:
      1. Choose Start > All Programs > BCManager.
      2. Click Start System.

SUSE Linux (the Server server)

  1. Log in to the server as user root.
  2. Run the iptables -I INPUT 1 -s IP address/submask -p tcp -j ACCEPT command to configure the IP address whitelist of the firewall.

    • After the firewall is enabled, only the IP addresses in the whitelist can be used to communicate with the eReplication Server. Therefore, to ensure the normal communication between a device and the eReplication Server, add the IP address of the device to the whitelist. For example, if you connect to the eReplication Server on a local device in a remote manner, add the IP address of the device to the whitelist. In addition, when you add a resource to eReplication, add the IP address of the resource device to the whitelist.
    • To ensure the normal connection between the eReplication Server and other devices, run the iptables -I INPUT 1 command to set the firewall rule of the eReplication Server to be the first rule.
    • If you have accessed a remote operating system, perform 2 to add the local IP address to the IP whitelist. Otherwise, the remote connection will be automatically disconnected immediately after the firewall is enabled.

    Parameter description:

    • -s: indicates that one IP address or IP address segment is to be specified. If an IP address is to be specified, -s is followed by the IP address. If an IP address segment is to be specified, -s is followed by information at the IP address/submask format.
    • -p: indicates the protocol type to be specified and is optional. This part uses TCP as an example.
    • -j: followed by ACCEPT and indicates that the access request is accepted.

  3. Run the iptables -A INPUT -i lo -j ACCEPT command to set network loopback rules to allow communication between servers.
  4. Run the iptables -P INPUT DROP command to set the policy for inflow of data packets to DROP. In this way, only the IP address or IP address segment set in 2 can access the current operating system.
  5. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.
  6. Run the vi /etc/init.d/boot.local command and press Insert to add the following command to the startup script.

    iptables-restore < /etc/sysconfig/iptables

  7. Press Esc, and run the :wq! command to save the change and exit.

    After the firewall is enabled, restart the eReplication Server service by performing the following steps:

    1. Run cd /opt/BCManager/Runtime/bin command to enter the script save path.
    2. Run the sh shutdownSystem.sh command.
    3. Type y and press Enter to disable the eReplication Server service.
    4. Run the sh startSystem.sh command to restart the eReplication Server service.
    • If the firewall rule changes, run the iptables-save > /etc/sysconfig/iptables command to save the updated firewall rule. Otherwise, the firewall rule will be restored to the previously saved one after the operating system is rebooted.
    • To disable the firewall, perform the following:
      1. Run the iptables -P INPUT ACCEPT command.
      2. Run the iptables -D INPUT 1 command repeatedly until all firewall rules are deleted.
      3. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.

RedHat Linux (the Server server)

  1. Log in to the server as user root.
  2. Run the iptables -I INPUT 1 -s IP address/submask -p tcp -j ACCEPT command to configure the IP address whitelist of the firewall.

    • After the firewall is enabled, only the IP addresses in the whitelist can be used to communicate with the eReplication Server. Therefore, to ensure the normal communication between a device and the eReplication Server, add the IP address of the device to the whitelist. For example, if you connect to the eReplication Server on a local device in a remote manner, add the IP address of the device to the whitelist. In addition, when you add a resource to eReplication, add the IP address of the resource device to the whitelist.
    • To ensure the normal connection between the eReplication Server and other devices, run the iptables -I INPUT 1 command to set the firewall rule of the eReplication Server to be the first rule.
    • If you have accessed a remote operating system, perform 2 to add the local IP address to the IP whitelist. Otherwise, the remote connection will be automatically disconnected immediately after the firewall is enabled.

    Parameter description:

    • -s: indicates that one IP address or IP address segment is to be specified. If an IP address is to be specified, -s is followed by the IP address. If an IP address segment is to be specified, -s is followed by information at the IP address/submask format.
    • -p: indicates the protocol type to be specified and is optional. This part uses TCP as an example.
    • -j: followed by ACCEPT and indicates that the access request is accepted.

  3. Run the iptables -A INPUT -i lo -j ACCEPT command to set network loopback rules to allow communication between servers.
  4. Run the iptables -P INPUT DROP command to set the policy for inflow of data packets to DROP. In this way, only the IP address or IP address segment set in 2 can access the current operating system.
  5. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.
  6. Run the vi /etc/rc.d/rc.local command and press Insert to add the following command to the startup script.

    iptables-restore < /etc/sysconfig/iptables

  7. Press Esc, and run the :wq! command to save the change and exit.

    After the firewall is enabled, restart the eReplication Server service by performing the following steps:

    1. Run cd /opt/BCManager/Runtime/bin command to enter the script save path.
    2. Run the sh shutdownSystem.sh command.
    3. Type y and press Enter to disable the eReplication Server service.
    4. Run the sh startSystem.sh command to restart the eReplication Server service.
    • If the firewall rule changes, run the iptables-save > /etc/sysconfig/iptables command to save the updated firewall rule. Otherwise, the firewall rule will be restored to the previously saved one after the operating system is rebooted.
    • To disable the firewall, perform the following:
      1. Run the iptables -P INPUT ACCEPT command.
      2. Run the iptables -D INPUT 1 command repeatedly until all firewall rules are deleted.
      3. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.

Euler Linux (the Server server)

  1. Log in to the server as user root.
  2. Run the iptables -I INPUT 1 -s IP address/submask -p tcp -j ACCEPT command to configure the IP address whitelist of the firewall.

    • After the firewall is enabled, only the IP addresses in the whitelist can be used to communicate with the eReplication Server. Therefore, to ensure the normal communication between a device and the eReplication Server, add the IP address of the device to the whitelist. For example, if you connect to the eReplication Server on a local device in a remote manner, add the IP address of the device to the whitelist. In addition, when you add a resource to eReplication, add the IP address of the resource device to the whitelist.
    • To ensure the normal connection between the eReplication Server and other devices, run the iptables -I INPUT 1 command to set the firewall rule of the eReplication Server to be the first rule.
    • If you have accessed a remote operating system, perform 2 to add the local IP address to the IP whitelist. Otherwise, the remote connection will be automatically disconnected immediately after the firewall is enabled.

    Parameter description:

    • -s: indicates that one IP address or IP address segment is to be specified. If an IP address is to be specified, -s is followed by the IP address. If an IP address segment is to be specified, -s is followed by information at the IP address/submask format.
    • -p: indicates the protocol type to be specified and is optional. This part uses TCP as an example.
    • -j: followed by ACCEPT and indicates that the access request is accepted.

  3. Run the iptables -A INPUT -i lo -j ACCEPT command to set network loopback rules to allow communication between servers.
  4. Run the iptables -P INPUT DROP command to set the policy for inflow of data packets to DROP. In this way, only the IP address or IP address segment set in 2 can access the current operating system.
  5. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.
  6. Run the vi /etc/rc.d/rc.local command and press Insert to add the following command to the startup script.

    iptables-restore
    < /etc/sysconfig/iptables

  7. Press Esc, and run the :wq! command to save the change and exit.

    After the firewall is enabled, restart the eReplication Server service by performing the following steps:

    1. Run cd /opt/BCManager/Runtime/bin command to enter the script save path.
    2. Run the sh shutdownSystem.sh command.
    3. Type y and press Enter to disable the eReplication Server service.
    4. Run the sh startSystem.sh command to restart the eReplication Server service.
    • If the firewall rule changes, run the iptables-save > /etc/sysconfig/iptables command to save the updated firewall rule. Otherwise, the firewall rule will be restored to the previously saved one after the operating system is rebooted.
    • To disable the firewall, perform the following:
      1. Run the iptables -P INPUT ACCEPT command.
      2. Run the iptables -D INPUT 1 command repeatedly until all firewall rules are deleted.
      3. Run the iptables -save > /etc/sysconfig/iptables command to save the configurations.

Windows (the Agent server)

  1. Log in to the production application server as an administrator.
  2. Choose Start > Control Panel.
  3. Click Windows Firewall in the dialog box that is displayed.
  4. Click Advanced settings in the dialog box that is displayed.
  5. In the Windows Firewall with Advanced Security dialog box, right-click Inbound Rules. In the shortcut button area, click New Rule.
  6. In the What type of rule would you like to create? area, click Port.
  7. Click Next and select TCP. In the Specific local ports text box, enter the added firewall ports.

    For example, 9443.

  8. Click Next.
  9. Click Next.
  10. Click Next and enter the name and description.
  11. Click Finish.

SUSE Linux (the Agent server)

  1. Log in to the application server as user root.
  2. Run the vi /etc/sysconfig/SuSEfirewall2 command to open the firewall configuration file.
  3. Press i to go to the edit mode and edit the configuration file.
  4. In FW_SERVICES_EXT_TCP=, enter the added firewall ports.

    For example, FW_SERVICES_EXT_TCP=59526.

  5. Press Esc and enter :wq! to save the changes and exit.
  6. Run SuSEfirewall2 stop command to close the firewall.
  7. Run SuSEfirewall2 start command to start the firewall and configuration effect.

Red Hat Linux (the Agent server)

  1. Log in to the application server as user root.
  2. Run the vi /etc/sysconfig/iptables command to open the firewall configuration file.
  3. Press i to go to the edit mode and edit the configuration file.
  4. Add -A INPUT -m state --state NEW -m tcp -p tcp --dport 59526 -j ACCEPT to the line that is after the :OUTPUT ACCEPT line and before the COMMIT line.



  5. Press Esc and enter :wq! to save the changes and exit.
  6. Run the service iptables restart command to restart the firewall and configuration effect.

AIX (the Agent server)

  1. Log in to the application server as user root.
  2. Run the Smit ipsec4 command. Select Advanced IP Security Configuration, and press Enter.
  3. Select Configure IP Security Filter Rules and press Enter.
  4. Select Add an IP Security Filter Rule and press Enter to modify the firewall.
  5. Press Esc+4 to select a value in the red area and configure the value as follows:



  6. Press Enter to save the changes and exit.
  7. Run the Smit ipsec4 command. Select Start/Stop IP Security and press Enter.
  8. Select Stop IP Security Smit ipsec4 and press Enter to close the firewall.
  9. Run the Smit ipsec4 command. Select Start/Stop IP Security and press Enter.
  10. Select Start IP Security and press Enter to start the firewall and configuration effect.

HP-UX/Solaris (the Agent server)

  1. Log in to the application server as user root.
  2. Run the vi /etc/opt/ipf/ipf.conf command to open the firewall configuration file.
  3. Press i to go to the edit mode and edit the configuration file.
  4. Add pass in from any to any port = 59526 to the configuration file.
  5. Press Esc and enter :wq! to save the changes and exit.
  6. Run the ipf -Fa command.
  7. Run the ipf -f /etc/opt/ipf/ipf.conf command.
  8. Run the ipf -Fa command.
  9. Run the telnet IP address of the application server 59526 command to test the configuration.
Translation
Download
Updated: 2019-05-21

Document ID: EDOC1100075861

Views: 10854

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next