Tomoki BENIYA
beniy****@bit-i*****
2011年 5月 16日 (月) 17:40:28 JST
初めまして、紅谷と申します。 現在、Heartbeat3+PacemakerでHAを組んでおります。netstatを眺めていたら 気になる点があったので皆様のご意見を頂ければと思い、投稿しました。 ■IP hoge1 eth0 203.0.113.1 eth1 10.0.9.210 eth2 172.16.0.1 hoge2 eth0 203.0.113.2 eth1 10.0.9.211 eth2 172.16.0.2 2つのプライベート網でheartbeatを交換しています。netstatを見てみると、 それぞれのサーバでudp694とハイポートが0.0.0.0で2つ開けられ、ハイポート がheartbeatパケットのソースポートになっています。 nmapで見ると「open|filtered」となり、空いてそうな結果も得られます。 皆様はこのハイポートをどうされていますでしょうか?Firewallで塞げば済む 話ではありますが、他に閉じる手段があればなぁと思っております。 皆様のご意見を頂ければ幸いです。 以上、よろしくお願いします。 以下、コマンドの結果等 ■ha.cf ==================================================================================================== crm yes logfile /var/log/ha.log logfacility local0 keepalive 1 warntime 5 deadtime 10 udpport 694 mcast eth1 239.0.0.1 694 1 0 mcast eth2 239.0.0.2 694 1 0 node hoge1 node hoge2 ==================================================================================================== ■netstat ==================================================================================================== root @ hoge1:~# netstat -nap --udp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 239.0.0.2:694 0.0.0.0:* 19246/heartbeat: wr udp 0 0 239.0.0.1:694 0.0.0.0:* 19244/heartbeat: wr udp 0 0 0.0.0.0:53945 0.0.0.0:* 19246/heartbeat: wr udp 0 0 0.0.0.0:38781 0.0.0.0:* 19244/heartbeat: wr root @ hoge2:~# netstat -nap --udp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 239.0.0.2:694 0.0.0.0:* 21878/heartbeat: wr udp 0 0 239.0.0.1:694 0.0.0.0:* 21876/heartbeat: wr udp 1120 0 0.0.0.0:33302 0.0.0.0:* 21876/heartbeat: wr udp 2240 0 0.0.0.0:44321 0.0.0.0:* 21878/heartbeat: wr ==================================================================================================== ■tcpdump ==================================================================================================== root @ hoge1:~# tcpdump -ni eth1 port 38781 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:44:25.640260 IP 10.0.9.210.38781 > 239.0.0.1.694: UDP, length 211 16:44:26.641209 IP 10.0.9.210.38781 > 239.0.0.1.694: UDP, length 211 16:44:27.642257 IP 10.0.9.210.38781 > 239.0.0.1.694: UDP, length 211 16:44:28.643265 IP 10.0.9.210.38781 > 239.0.0.1.694: UDP, length 211 16:44:29.644435 IP 10.0.9.210.38781 > 239.0.0.1.694: UDP, length 211 root @ hoge1:~# tcpdump -ni eth2 port 53945 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 16:44:38.644368 IP 172.16.0.1.53945 > 239.0.0.2.694: UDP, length 211 16:44:39.645460 IP 172.16.0.1.53945 > 239.0.0.2.694: UDP, length 211 16:44:40.646420 IP 172.16.0.1.53945 > 239.0.0.2.694: UDP, length 206 16:44:40.646447 IP 172.16.0.1.53945 > 239.0.0.2.694: UDP, length 211 16:44:41.647418 IP 172.16.0.1.53945 > 239.0.0.2.694: UDP, length 211 ==================================================================================================== root @ hoge2:~# tcpdump -ni eth1 port 33302 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 15:05:28.771098 IP 10.0.9.211.33302 > 239.0.0.1.694: UDP, length 211 15:05:29.772038 IP 10.0.9.211.33302 > 239.0.0.1.694: UDP, length 211 15:05:30.773429 IP 10.0.9.211.33302 > 239.0.0.1.694: UDP, length 211 15:05:31.774360 IP 10.0.9.211.33302 > 239.0.0.1.694: UDP, length 211 15:05:32.775716 IP 10.0.9.211.33302 > 239.0.0.1.694: UDP, length 211 root @ hoge2:~# tcpdump -ni eth2 port 44321 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 15:05:14.775475 IP 172.16.0.2.44321 > 239.0.0.2.694: UDP, length 211 15:05:15.215703 IP 172.16.0.2.44321 > 239.0.0.2.694: UDP, length 206 15:05:15.776465 IP 172.16.0.2.44321 > 239.0.0.2.694: UDP, length 211 15:05:16.777411 IP 172.16.0.2.44321 > 239.0.0.2.694: UDP, length 211 15:05:17.778548 IP 172.16.0.2.44321 > 239.0.0.2.694: UDP, length 206 ==================================================================================================== ■nmap ==================================================================================================== test# nmap -sU 203.0.113.1 -p 694,38781,53945 Starting Nmap 5.50 ( http://nmap.org ) at 2008-12-18 05:49 JST Nmap scan report for 14.128.30.3 Host is up (0.00049s latency). PORT STATE SERVICE 694/udp closed ha-cluster 38781/udp open|filtered unknown 53945/udp open|filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds ==================================================================================================== test# nmap -sU 203.0.113.2 -p 694,33302,44321 Starting Nmap 5.50 ( http://nmap.org ) at 2008-12-18 05:49 JST Nmap scan report for 14.128.30.4 Host is up (0.00066s latency). PORT STATE SERVICE 694/udp closed ha-cluster 33302/udp open|filtered unknown 44321/udp open|filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds ==================================================================================================== -- Tomoki BENIYA <beniy****@bit-i*****>
Fork