Page History

...

This setup uses firewalld for the configuration implementation of firewall. On wifimon-kibana.example.org two rich rules allow access for cluster nodes and components. On each other node a "wifimon" custom zone is created to hold the specific configuration. On wifimon-kibana.example.org node, furthermore, some configuration goes into public zone to allow access for the kibana platform and the cluster components.

On wifimon-kibana.example.org:

firewall-cmd --zone=public --list-ports 
5601/tcp

firewall-cmd --zone=public --list-rich-rules 
rule family="ipv4" source ipset="wifimon-nodes" port port="9300" protocol="tcp" accept
rule family="ipv4" source ipset="wifimon-components" port port="9200" protocol="tcp" accept

firewall-cmd --ipset=wifimon-nodes --get-entries
10.0.0.1
10.0.0.2
10.0.0.3

firewall-cmd --ipset=wifimon-components --get-entries
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.5
10.10.10.111
192.168.1.15

On wifimon-node1.example.org:

firewall-cmd --zone=wifimon --list-ports 
9300/tcp

firewall-cmd --zone=wifimon --list-sources
10.0.0.2/32 10.0.0.3/32 10.0.0.4/32

On wifimon-node2.example.org:

.168.1.15

firewall-cmd --zone=wifimon --list-ports 
9300/tcp

firewall-cmd --zone=wifimon --list-sources
10.0.0.1/32 10.0.0.2 10.0.0.3/32 10.0.0.4/32

On wifimon-node3node{1,2,3}.example.org:

firewall-cmd --zone=wifimon --list-ports 
9300/tcp

firewall-cmd --zone=wifimon --list-sources
10.0.0.1/32 10.0.0.2/32 10.0.0.3 10.0.0.4/32

On wifimon-logstash.example.org:

firewall-cmd --zone=wifimon --list-ports 
5044/tcp

firewall-cmd --zone=wifimon --list-sources
10.10.10.111/32 192.168.1.15/32

SSL/TLS Certificates

The cluster communication is secured by configuring SSL/TLS encryption. The elasticsearch-certutil was used to generate a CA certificate, utilized for signing the certificates of the cluster components. This utility comes with the elasticsearch installation, and in this case was used the one installed in the wifimon-kibana.example.org node.

...