[rabbitmq-discuss] Clustering behind a firewall

james.rivettcarnac at neo.com james.rivettcarnac at neo.com
Thu May 22 03:06:11 BST 2014 


I'm having some issues with clustering and a firewall.  During setup of the 
cluster over tcp, epmd opens a bunch of ephemeral ports > 30000 that vanish 
after the clustering is set up.  If my iptable rules DROP by default, these 
hang up on the tcp handshake.

I can't find any reference for ports like this being used. My 
inet_dist_listen_min/max work (when i turn off the firewall, the correct 
port is being used) but they have no effect on these random ports.


Some output:

[vagrant at queue1 ~]$ sudo iptables --list --verbose -n

Chain INPUT (policy DROP 61566 packets, 3702K bytes)

 pkts bytes target     prot opt in     out     source               
destination

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           state NEW tcp dpts:9100:9105

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           state NEW tcp dpts:25672:25682

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:25672

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:4369

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:443

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:80

   85  4616 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:22

95330   16M ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:15672

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:5673

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0           tcp dpt:5672

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0           
 0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       192.168.50.3         
0.0.0.0/0



And for my netstat:


[vagrant at queue1 ~]$ sudo netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             
State

tcp        0      0 192.168.50.3:15672          192.168.50.1:56986         
 ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56983         
 ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56982         
 ESTABLISHED

tcp        0      1 192.168.50.3:48424          queue0.zombiehorde.loc:epmd 
SYN_SENT

tcp        0      0 192.168.50.3:15672          192.168.50.1:56342         
 ESTABLISHED

tcp        0      0 queue1.zombiehorde.loc:epmd queue1.zombiehorde.lo:42469 
ESTABLISHED

tcp        0      0 10.0.2.15:ssh               10.0.2.2:53317             
 ESTABLISHED

tcp        0      0 192.168.50.3:15672          192.168.50.1:56985         
 ESTABLISHED

tcp        0      0 queue1.zombiehorde.lo:42469 queue1.zombiehorde.loc:epmd 
ESTABLISHED

tcp        0      1 192.168.50.3:53772          queue0.zombiehorde.loc:epmd 
SYN_SENT



Note - the SYN_SENT (right when I restart the service, there are a bunch 
more of these.  I assume epmd throttles down the connection attempts after 
number of failed attempts)


Best regards,


James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140521/addd7ca1/attachment.html>

More information about the rabbitmq-discuss mailing list