我在保护Galera集群中的节点时遇到问题。我只是在每个节点上打开了所需的端口,集群运行良好。我现在想进一步限制访问,这样只有其他节点才能与该节点通信,我决定为此设置一个区域。当我使用该区域时,节点无法干净地离开集群或重新加入集群。我必须换回我的旧区域才能让它重新工作。我对防火墙规则不太熟悉,所以我认为我在设置区域时做错了什么,任何建议都将不胜感激。
我使用的是Almalinux 8、MariaDB 10.6和Firewalld。
这是我的区域XML文件的副本(我已经更改了IP(
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>A_Node</short>
<description>Zone for node of Galera Cluster</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<!-- Node A Rules -->
<rule family="ipv4">
<source address="3.3.3.3"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="3.3.3.3"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node B Rules -->
<rule family="ipv4">
<source address="4.4.4.4"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="4.4.4.4"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node C Rules -->
<rule family="ipv4">
<source address="5.5.5.5"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="5.5.5.5"/>
<port port="4568" protocol="tcp"/>
</rule>
<!-- Node D Rules -->
<rule family="ipv4">
<source address="6.6.6.6"/>
<service name="mysql"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="3306" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4444" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="tcp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4567" protocol="udp"/>
</rule>
<rule family="ipv4">
<source address="6.6.6.6"/>
<port port="4568" protocol="tcp"/>
</rule>
</zone>
我解决了这个问题,我的规则中缺少<accept/>标记。
<rule family="ipv4">
<source address="1.1.1.1/24"/>
<port port="3306" protocol="tcp"/>
<accept/>
</rule>