Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
PowerScale: Network Design Considerations
Executive summary Network architecture design Latency, bandwidth, and throughput Ethernet flow control SyncIQ considerations Quality of Service (QoS) Software-Defined Networking PowerScale OneFS ports SmartConnect considerations Ethernet, MTU, and IP overhead Access Zones best practices Source-Based Routing considerations Isilon 6th generation 1 GbE interfaces Intelligent Platform Management Interface IPv6 OneFS host-based firewall
OneFS host-based firewall
Introduction
Architecture
Configuration
STIG security profile
IPv6
FTP
User configurable ports
Source-Based Routing
Network troubleshooting Appendix A: Supported network optics and transceivers Appendix B: Technical support and resources

Architecture

Architecture

  • The OneFS host-based firewall is composed of firewall rules and policies. A firewall rule is used to specify a matching criterion for IP packets and an associated action. The matching criteria for a rule can be the following:

    • Protocol: The protocol can be TCP, UDP, ICMP, ICMP6, or ALL.
    • Source ports: The source port numbers of the incoming IP packet.
    • Destination ports: The destination port numbers of the incoming IP packet.
    • Source network address: The IP address of the incoming IP packet.

    The associated actions for the matching criteria of a rule are the following:

    • Deny: A deny action simply drops the packets at the NIC before they enter the PowerScale cluster.
    • Reject: A reject action drops the packets similarly to the deny action, but also sends an ICMP error code to the sender.
    • Allow: An allow action permits the packet to enter the PowerScale node.

    A firewall policy can contain multiple firewall rules. The rules are matched by index in ascending order. While each firewall rule has an associated action, the policy has a user-defined default action, if none of the firewall rules apply. The firewall policy default action may be deny, reject, or allow an IP packet from any to any. A firewall policy is assigned to a network pool and subnet, as shown in the following figure.

    Figure 29.    Firewall policy and rules

    By default, OneFS has a Default Pools Policy (default_pools_policy) and a Default Subnets Policy (default_subnets_policy), as shown in the following figure. The Default Pools Policy enforces the port numbers and protocols required for OneFS services, as listed in the Security Configuration Guide, found under the respective OneFS software release at OneFS Info Hubs.

    The Default Subnets Policy (default_subnets_policy) applies to SSIPs and provides rules for the following:

    • DNS Port 53
    • ICMP
    • ICMP6

    Important: Network Pools do not inherit firewall policies or rules from the firewall policy associated with their respective subnets

    Network pools and network subnets always belong to a single firewall policy. This can either be a custom policy, or a default policy. If a subnet or pool is removed from a policy, it is automatically added to the default policy.

    Figure 30.    Default firewall policies

    An administrator can modify both the Default Pools Policy and the Default Subnets Policy. The default policies are only used when the pool or subnet does not have a custom policy assigned, because each subnet or pool must have a policy assigned. OneFS also provides an option to revert the default policies to factory defaults, with the isi network firewall reset global policy command.