Firewalls and Ports
Firewalls and Ports
Make sure your port settings are configured correctly for firewalls.
There are several different port settings that need to be considered when using firewalls:
- Port that the cache server listens on.
This is configurable using the cache-server element in
cache.xml, on the CacheServer class in Java APIs, and as a command line option
to the gfsh start server command.
By default, if not otherwise specified, GemFire clients and servers discover each other on a pre-defined port (40404) on the localhost.
- Locator port. GemFire clients can use the locator to automatically
discover cache servers. The locator port is configurable as a command-line
option to the gfsh start locator command. Locators are used in
the peer-to-peer cache deployments to discover other processes. They can be used
by clients to locate servers as an alternative to configuring clients with a
collection of server addresses and ports.
By default, if not otherwise specified, GemFire locators use the default multicast port 10334.
- Since locators start up the distributed system, locators must also have their ephemeral port range and TCP port accessible to other members through the firewall.
- For clients, you configure the client to connect to servers using the client's pool configuration. The client's pool configuration has two options: you can create a pool with either a list of server elements or a list of locator elements. For each element, you specify the host and port. The ports specified must be made accessible through your firewall.
Limiting Ephemeral Ports for Peer-to-Peer Membership
By default, GemFire assigns ephemeral ports, that is, temporary ports assigned from a designated range, which can encompass a large number of possible ports. When a firewall is present, the ephemeral port range usually must be limited to a much smaller number, for example six. If you are configuring P2P communications through a firewall, you must also set each the tcp port for each process and ensure that UDP traffic is allowed through the firewall.
Properties for Firewall and Port Configuration
This table contains properties potentially involved in firewall behavior, with a brief description of each property. Click on a property name for a link to the gemfire.properties and gfsecurity.properties (GemFire Properties) reference topic.
| Configuration | ||
|---|---|---|
| Configuration area | Property or Setting | Definition |
| peer-to-peer config |
Specifies whether sockets are shared by the system member's threads. |
|
| peer-to-peer config |
The list of locators used by system members. The list must be configured consistently for every member of the distributed system. |
|
| peer-to-peer config |
Address used to discover other members of the distributed system. Only used if mcast-port is non-zero. This attribute must be consistent across the distributed system. |
|
| peer-to-peer config |
Port used, along with the mcast-address, for multicast communication with other members of the distributed system. If zero, multicast is disabled for member discovery and distribution. |
|
| peer-to-peer config |
The range of ephemeral ports available for unicast UDP messaging and for TCP failure detection in the peer-to-peer distributed system. |
|
| peer-to-peer config |
The TCP port to listen on for cache communications. |
|
| Configuration | ||
|---|---|---|
| Configuration Area | Property or Setting | Definition |
| cache server config |
Hostname or IP address to pass to the client as the location where the server is listening. |
|
| cache server config |
Maximum number of client connections for the server. When the maximum is reached, the server refuses additional client connections. |
|
| cache server config |
port (cache.xml) or --port parameter to the gfsh start server command |
Port that the server listens on for client communication. |
Default Port Configurations
| Default Ports | ||
|---|---|---|
|
Port Name |
Related Configuration Setting |
Default Port |
|
Cache Server |
port (cache.xml) |
40404 |
|
HTTP |
http-service-port | 7070 |
|
Locator |
start-locator (for embedded locators) or --port parameter to the gfsh start locator command. | if not specified upon startup or in the start-locator property, uses default multicast port 10334 |
|
Membership Port Range |
membership port range | 1024 to 65535 |
|
Memcached Port |
memcached-port | not set |
|
Multicast |
mcast port | 10334 |
|
RMI |
jmx-manager-port | 1099 |
|
TCP |
tcp-port | ephemeral port |