FAQ
From the discussion regarding RAET firewall, it seems like salt master
needs to open 4506 and 4510 UDP port.

And salt minion send message via 4510 port.

Below is the two question.
1. Do we need to enable firewall UDP 4510 for salt minion?
From my testing, it seems like we must open it in iptables.

2. Does RAET support multiple salt minions behind firewall?
We have bulk of servers which share the same outbound public ip behind the
firewall.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • C. R. Oldham at Nov 28, 2014 at 1:29 am

    From the discussion regarding RAET firewall, it seems like salt master needs to open 4506 and 4510 UDP port.
    This is correct.
    And salt minion send message via 4510 port. Correct.
    Below is the two question.
    1. Do we need to enable firewall UDP 4510 for salt minion?
    From my testing, it seems like we must open it in iptables. Yes.
    2. Does RAET support multiple salt minions behind firewall?
    We have bulk of servers which share the same outbound public ip behind the firewall.
    Yes, I've been running this on a small scale and it works.

    --cro

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Bruno binet at Nov 28, 2014 at 9:12 am

    On 28 November 2014 at 02:29, C. R. Oldham wrote:
    From the discussion regarding RAET firewall, it seems like salt master
    needs to open 4506 and 4510 UDP port.


    This is correct.

    And salt minion send message via 4510 port.


    Correct.

    Below is the two question.
    1. Do we need to enable firewall UDP 4510 for salt minion?
    From my testing, it seems like we must open it in iptables.


    Yes.
    So you mean we must open UDP 4510 port inbound on the minion?

    That is problematic for me since it would not work anymore when the minions
    are connected through a 3g/4g usb stick which blocks all inbound ports.
    Are there any solutions to use RAET in this situation, or are we forced to
    stay with the zmq transport?

    2. Does RAET support multiple salt minions behind firewall?
    We have bulk of servers which share the same outbound public ip behind the
    firewall.


    Yes, I've been running this on a small scale and it works.

    --cro

    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Wolodja Wentland at Nov 28, 2014 at 10:31 am

    On Thu, Nov 27, 2014 at 18:29 -0700, C. R. Oldham wrote:
    From the discussion regarding RAET firewall, it seems like salt master
    needs to open 4506 and 4510 UDP port.
    This is correct.


    And salt minion send message via 4510 port.
    Correct.


    Below is the two question.
    1. Do we need to enable firewall UDP 4510 for salt minion?
    From my testing, it seems like we must open it in iptables.
    Yes.
    Is this INPUT or OUTPUT (or both) on the minion?
    2. Does RAET support multiple salt minions behind firewall?
    We have bulk of servers which share the same outbound public ip behind the
    firewall.
    Yes, I've been running this on a small scale and it works.
    This should probably be documented in
    http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html
    --
    Wolodja Wentland <babilen@gmail.com>

    4096R/CAF14EFC
    081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Xiangjun Wu at Nov 30, 2014 at 3:30 pm

    On Friday, November 28, 2014 6:31:05 PM UTC+8, Wolodja Wentland wrote:
    On Thu, Nov 27, 2014 at 18:29 -0700, C. R. Oldham wrote:
    From the discussion regarding RAET firewall, it seems like salt master
    needs to open 4506 and 4510 UDP port.
    This is correct.


    And salt minion send message via 4510 port.
    Correct.


    Below is the two question.
    1. Do we need to enable firewall UDP 4510 for salt minion?
    From my testing, it seems like we must open it in iptables.
    Yes.
    Is this INPUT or OUTPUT (or both) on the minion?
    Just INPUT on UDP 4510.
    2. Does RAET support multiple salt minions behind firewall?
    We have bulk of servers which share the same outbound public ip
    behind the
    firewall.
    Yes, I've been running this on a small scale and it works.
    This should probably be documented in
    http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html
    --
    Wolodja Wentland <bab...@gmail.com <javascript:>>

    4096R/CAF14EFC
    081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • C. R. Oldham at Dec 8, 2014 at 2:37 pm

    Is this INPUT or OUTPUT (or both) on the minion?
    Just INPUT on UDP 4510.
    Just to followup, RAET will eventually support 'UDP hole punching' that will obviate the need for an inbound port on the minion. It won't be finished for a while yet.

    --cro


    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Bruno binet at Dec 8, 2014 at 8:37 pm
    That would be great! (this is the only thing that prevents me from using
    RAET)
    On 8 December 2014 at 15:37, C. R. Oldham wrote:

    Is this INPUT or OUTPUT (or both) on the minion?
    Just INPUT on UDP 4510.


    Just to followup, RAET will eventually support 'UDP hole punching' that
    will obviate the need for an inbound port on the minion. It won't be
    finished for a while yet.

    --cro


    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Xiangjun Wu at Nov 30, 2014 at 4:15 pm

    On Friday, November 28, 2014 9:29:22 AM UTC+8, C. R. Oldham wrote:

    From the discussion regarding RAET firewall, it seems like salt master
    needs to open 4506 and 4510 UDP port.


    This is correct.

    And salt minion send message via 4510 port.


    Correct.

    Below is the two question.
    1. Do we need to enable firewall UDP 4510 for salt minion?
    From my testing, it seems like we must open it in iptables.


    Yes.

    2. Does RAET support multiple salt minions behind firewall?
    We have bulk of servers which share the same outbound public ip behind the
    firewall.


    Yes, I've been running this on a small scale and it works.
    I have some hadoop nodes deployed behind AWS VPC, which can access internet
    via NAT instance. I've opened UDP 4510 for INPUT for NAT instance in
    security group configuration.
    But I know we needs certain NAT configuration in iptable chain in nat
    instance to make packets in from NAT to hadoop node.
    Can you suggest the configuration logic? I think RAET can not support my
    scenario.

    --cro
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedNov 28, '14 at 12:50a
activeDec 8, '14 at 8:37p
posts8
users4

People

Translate

site design / logo © 2022 Grokbase