Dell PowerFlex v3.6.x Gateway High Availability Technical Notes

Configure the firewall

If the firewall is active, you must allow ports. If firewalld and selinux are disabled, skip this section.

1. Enable vrrp traffic in the firewall:

   firewall-cmd --permanent --zone=public --add-service=http
   firewall-cmd --permanent --zone=public --add-service=https
   firewall-cmd --permanent --zone=public --add-port=28443/tcp
   firewall-cmd --permanent --zone=public --add-port=28080/tcp
   firewall-cmd --permanent --zone=public --add-protocol=vrrp 
   firewall-cmd --reload
   

2. Validate the configuration:

   firewall-cmd --list-all

   Output, similar to the following is displayed:

    [root@A59T6290 ~]# firewall-cmd --list-all
   public (active)
     target: default
     icmp-block-inversion: no
     interfaces: bond0 bond0.31 enp2s0f0 enp5s0f0 enp5s0f1
     sources:
     services: dhcpv6-client http https ssh
     ports: 33833/tcp 443/tcp 80/tcp 9011/tcp 6611/tcp 9099/tcp 28080/tcp 28443/tcp 7072/tcp
     protocols: vrrp
     masquerade: no
     forward-ports:
     sourceports:
     icmp-blocks:
     rich rules:
   

3. On both nodes where selinux is enabled, run this command:

   setsebool -P haproxy_connect_any 1

4. Verify the new configuration is set to on:

   /usr/sbin/getsebool -a | grep -i haproxy

   Output, similar to the following is displayed:

   [root@A59]# /usr/sbin/getsebool -a | grep -i haproxy
   haproxy_connect_any --> on