Riak, firewalls and inter-node communication.

Ciprian Manea ciprian at basho.com
Fri Apr 10 08:13:25 EDT 2015

Hi Jason,

It is possible to restrict Erlang to one TCP port per node for internal
communication, but you would need to make sure no other service will bind
(by mistake) to the same port. Another option would be to allocate a wider
range (2000 suggested in the docs) and let Erlang bind to any port in the
range if other services have made their claims before Erlang started.

Additionally you would need to open also TCP:4369 (epmd), TCP:8099
(handoff), plus depending on your configuration (i.e. using MDC?), port:
9080 (cluster manager)


On Fri, Apr 10, 2015 at 1:16 AM, Jason Greathouse <
jason.greathouse at leankit.com> wrote:

> I'm working in an environment where the servers don't have access to each
> other by default, so we have to setup network ACLs.  For most of the ports
> this is pretty straight forward, but I can't find a good explanation on the
> inter-Erlang communication ports.
> I've read through this document:
> http://docs.basho.com/riak/latest/ops/advanced/security/#Inter-node-Communication
> I see that its possible to limit the port range to a specific range though
> the riak.conf
> erlang.distribution.port_range.minimum = 6000
> erlang.distribution.port_range.maximum = 7999
> What I'm looking for is "What is the trade off of limiting the port
> range?"
> Is 2000 ports enough? Can I limit it to 5 (one per cluster node)? How
> about just one port?
> Thanks,
> *Jason Greathouse*
> Sr. Systems Engineer
> *[image: LeanKitlogo] <https://leankit.com/>*
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150410/7826642c/attachment-0002.html>

More information about the riak-users mailing list