Configure Windows netsh Firewall for Self-Managed Deployments
On Windows Server systems, the netsh program provides
methods for managing the Windows Firewall. These firewall rules make it possible
for administrators to control what hosts can connect to the system,
and limit risk exposure by limiting the hosts that can connect to a
system.
This document outlines basic Windows Firewall configurations. Use these approaches as a starting point for your larger networking organization. For a detailed over view of security practices and risk management for MongoDB, see Segurança.
Veja também:
Windows Firewall documentation from Microsoft.
Visão geral
Windows Firewall processes rules in an ordered determined by rule type, and parsed in the following order:
Windows Service HardeningConnection security rulesAuthenticated Bypass RulesBlock RulesAllow RulesDefault Rules
By default, the policy in Windows Firewall allows all outbound connections and blocks all incoming connections.
Dadas as portas padrão de todos os processos MongoDB, você deve configurar as regras de rede que permitem somente comunicação exigida entre seu aplicativo e as instâncias apropriadas do mongod.exe e mongos.exe.
The configuration changes outlined in this document will create rules which explicitly allow traffic from specific addresses and on specific ports, using a default policy that drops all traffic that is not explicitly allowed.
You can configure the Windows Firewall with using the netsh command line
tool or through a windows application. On Windows Server 2008 this
application is Windows Firewall With Advanced Security in Administrative Tools.
On previous versions of Windows Server, access the
Windows Firewall application in the System and Security control panel.
The procedures in this document use the netsh command line tool.
Padrões
This section contains a number of patterns and examples for
configuring Windows Firewall for use with MongoDB deployments.
If you have configured different ports using the port configuration
setting, you will need to modify the rules accordingly.
Tráfego de e para mongod.exe Instâncias
This pattern is applicable to all mongod.exe instances running
as standalone instances or as part of a Conjunto de réplicas.
The goal of this pattern is to explicitly allow traffic to the
mongod.exe instance from the application server.
netsh advfirewall firewall add rule name="Open mongod port 27017" dir=in action=allow protocol=TCP localport=27017
This rule allows all incoming traffic to port 27017, which
allows the application server to connect to the
mongod.exe instance.
Windows Firewall also allows enabling network access for an entire application rather than to a specific port, as in the following example:
netsh advfirewall firewall add rule name="Allowing mongod" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongod.exe"
You can allow all access for a mongos.exe server, with the
following invocation:
netsh advfirewall firewall add rule name="Allowing mongos" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongos.exe"
Tráfego de e para mongos.exe Instâncias
mongos.exe instances provide query routing for
sharded clusters. Clients connect to mongos.exe
instances, which behave from the client's perspective as
mongod.exe instances. In turn, the mongos.exe
connects to all mongod.exe instances that are components of
the sharded cluster.
Use the same Windows Firewall command to allow traffic to
and from these instances as you would from the mongod.exe
instances that are members of the replica set.
netsh advfirewall firewall add rule name="Open mongod shard port 27018" dir=in action=allow protocol=TCP localport=27018
Tráfego de e para um servidor de configuração MongoDB
Configuration servers, host the config database that stores metadata
for sharded clusters. Each production cluster has three configuration
servers, initiated using the mongod --configsvr
option. [1] Configuration servers listen for connections on port
27019. As a result, add the following Windows Firewall rules to the
config server to allow incoming and outgoing connection on port
27019, for connection to the other config servers.
netsh advfirewall firewall add rule name="Open mongod config svr port 27019" dir=in action=allow protocol=TCP localport=27019
Adicionalmente, os servidores de configuração precisam permitir conexões de entrada de todas as instâncias do mongos.exe no cluster e todas as instâncias do mongod.exe no cluster. Adicione regras semelhantes às seguintes:
netsh advfirewall firewall add rule name="Open mongod config svr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27019
Substituir <ip-address> with the addresses of the
mongos.exe instances and the shard mongod.exe
instances.
| [1] | You also can run a config server by using the
configsvr value for the clusterRole setting in a
configuration file. |
Tráfego de e para um servidor de shard da MongoDB
For shard servers, running as mongod --shardsvr
[2] Because the default port number is 27018 when running
with the shardsvr value for the clusterRole setting,
you must configure the following Windows Firewall rules to allow
traffic to and from each shard:
netsh advfirewall firewall add rule name="Open mongod shardsvr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27018 netsh advfirewall firewall add rule name="Open mongod shardsvr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
Replace the <ip-address> specification with the IP address of all
mongod.exe instances. This allows you to permit incoming
and outgoing traffic between all shards including constituent replica
set members to:
todas as
mongod.exeinstâncias nos conjuntos de réplicas do fragmento.all
mongod.exeinstances in other shards. [3]
Além disso, os fragmentos precisam ser capazes de fazer conexões de saída para:
all
mongos.exeinstances.todas as
mongod.exeinstâncias nos servidores de configuração.
Crie uma regra que se assemelha ao seguinte e substitua o <ip-address> pelo endereço dos servidores de configuração e as instâncias do mongos.exe :
netsh advfirewall firewall add rule name="Open mongod config svr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
| [2] | You can also specify the shard server option with the shardsvr value
for the clusterRole setting in the configuration file. Shard
members are also often conventional replica sets using the default
port. |
| [3] | Todos os fragmentos em um cluster precisam ser capazes de se comunicar com todos os outros fragmentos para facilitar o chunk e equilibrar as operações. |
Fornece acesso para sistemas de monitoramento
A ferramenta de diagnóstico mongostat, quando executada com o --discover, precisa acessar todos os componentes de um cluster, inclusive os servidores de configuração, os servidores de fragmentos e as instâncias mongos.exe.
Manage Windows Firewall Configurations
This section contains a number of basic operations for managing and
using netsh. While you can use the GUI front ends to manage the
Windows Firewall, all core functionality is accessible is
accessible from netsh.
Delete Windows Firewall Rules for Default MongoDB Ports
To delete the firewall rule allowing mongod.exe traffic:
netsh advfirewall firewall delete rule name="Open mongod port 27017" protocol=tcp localport=27017 netsh advfirewall firewall delete rule name="Open mongod shard port 27018" protocol=tcp localport=27018
List All Windows Firewall Rules
To return a list of all Windows Firewall rules:
netsh advfirewall firewall show rule name=all
Reset Windows Firewall
To reset the Windows Firewall rules:
netsh advfirewall reset
Backup and Restore Windows Firewall Rules
To simplify administration of larger systems, you can export or import Windows Firewall rules.
To export all Windows Firewall rules, run the following command:
netsh advfirewall export "C:\temp\MongoDBfw.wfw" Substituir
"C:\temp\MongoDBfw.wfw"with a path of your choosing.To import Windows Firewall rules, run the following command:
netsh advfirewall import "C:\temp\MongoDBfw.wfw" Substituir
"C:\temp\MongoDBfw.wfw"with the path to the file that contains your Windows Firewall rules.