how to setup the firewall for mpich

ztdep · 03-27-2015, 01:08 PM

Dear friends:
I setup a little clusters with opensuse 13.1, the parallel procedure can run successfully when i close the firewall on the head node(the head node is also a computation node),but when i open the firewall, it can not run anymore.
Could you please give me some idea about how to setup the firewall for this problem.
Regards

joe_2000 · 03-27-2015, 06:10 PM

Based on the information you are giving... I could recommend to you to configure the firewall such that the head node can talk to the other nodes...
Sorry if this sounded a bit polemic, but I hope it illustrates the point.

For us to be able to help you'll need to provide a lot more information as to how the firewall is set up, and what type of communication you want it to let through.

Maybe start with telling us what type of firewall you are using (I am assuming iptables?) and posting the configuration file(s) for it.
You might also look at your firewall logs to see what traffic is being blocked.

Also tell us what protocol the nodes are using to talk to each other, which ports are being used and which ip address range needs to be allowed.

ztdep · 03-27-2015, 09:44 PM

Quote:

Originally Posted by joe_2000

Based on the information you are giving... I could recommend to you to configure the firewall such that the head node can talk to the other nodes...
Sorry if this sounded a bit polemic, but I hope it illustrates the point.

For us to be able to help you'll need to provide a lot more information as to how the firewall is set up, and what type of communication you want it to let through.

Maybe start with telling us what type of firewall you are using (I am assuming iptables?) and posting the configuration file(s) for it.
You might also look at your firewall logs to see what traffic is being blocked.

Also tell us what protocol the nodes are using to talk to each other, which ports are being used and which ip address range needs to be allowed.

Thank you very much for your feedback and sorry for my incomplete information. opensuse use the iptables as firewall.
MPICH Interprocess communicationuse the standard UNIX mechanisms for allocating ports for intercommunication. Using this mechanism processes are given ports in the range of 1024--65535. I have 12 nodes from 192.168.1.1 to 192.168.1.12. Then how to let these nodes go through the firewall of node1 without being blocked.

joe_2000 · 03-28-2015, 08:57 AM

Unfortunately this information is still quite incomplete because you are not providing your firewall config. Hence it's hard to tell what rules are blocking the traffic. Let me give you an example. Below is a simplified version of my laptop's firewall script:

Code:

#!/bin/sh
# /etc/firewall/firewall.conf
#
# Iptables
FW="/sbin/iptables"

# Delete existing rules
$FW -F
$FW -X

# Standard rules
$FW -P INPUT   ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT  ACCEPT

# Allow incoming from lo (for Login Manager)
$FW -A INPUT -i lo -j ACCEPT
$FW -A OUTPUT -o lo -j ACCEPT

# Wall Chain for IPv4: Disallow incoming. This rule disallows initiating
# a connection. It does allow traffic once a connection is established.
$FW -N wall
$FW -A wall -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A wall -j DROP

# Apply wall rule defined above for INPUT and FORWARD. Result: Remote hosts can answer my
# requests but cannot establish connections.
$FW -A INPUT -j wall
$FW -A FORWARD -j wall

Now, let's assume for a second that this firewall was running on your master. The result would be that the master could establish connections to the slave nodes, but not vice versa. Now let's say you wanted to allow inbound connections on the master on port 8888 (I am just choosing a random port number, because you are not telling me which one you want to use.) from within the 192.168.1.* network subnet. You could modify the firewall to something like this (untested!)

Code:

#!/bin/sh
# /etc/firewall/firewall.conf
#
# Iptables
FW="/sbin/iptables"

# Delete existing rules
$FW -F
$FW -X

# Standard rules
$FW -P INPUT   ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT  ACCEPT

# Allow incoming from lo (for Login Manager)
$FW -A INPUT -i lo -j ACCEPT
$FW -A OUTPUT -o lo -j ACCEPT

# Wall Chain for IPv4: Disallow incoming. This rule disallows initiating
# a connection. It does allow traffic once a connection is established.
$FW -N wall
$FW -A wall -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A wall -j DROP

# Apply wall rule defined above for INPUT and FORWARD. Result: Remote hosts can answer my
# requests but cannot establish connections.
$FW -A INPUT -p tcp --dport 8888 -s 192.168.1.0/24 -j ACCEPT -m comment --comment "Allow inbound tcp on port 8888 from lan" 
$FW -A INPUT -j wall
$FW -A FORWARD -j wall

Now this modification makes a lot of assumptions. (TCP protocol, port number, direction of how connections are established etc...)
So for sure this is not an exact solution to your problem. But it should give you some pointers as to where you should look.
For more useful help, you must post your config, and provide more detailed info on the communication between nodes. (TCP / UDP ?) Port number ? ...

Alternatively, you could allow inbound traffic from 192.168.1.0/24 generally, i.e. for all ports / protocols. But if there is a firewall on that master node then probably it's there for a reason, so you want to make the "hole" in the wall as small as possible.