netsh Firewall for MongoDBnetsh防火墙On this page本页内容
On Windows Server systems, the 在Windows Server系统上,netsh program provides methods for managing the Windows Firewall. netsh程序提供了管理Windows防火墙的方法。These firewall rules make it possible for administrators to control what hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a system.这些防火墙规则使管理员能够控制哪些主机可以连接到系统,并通过限制可以连接到系统的主机来限制风险暴露。
This document outlines basic Windows Firewall configurations. 本文档概述了Windows防火墙的基本配置。Use these approaches as a starting point for your larger networking organization. 使用这些方法作为你的大型网络组织的起点。For a detailed over view of security practices and risk management for MongoDB, see Security.有关MongoDB安全实践和风险管理的详细概述,请参阅安全。
Windows Firewall documentation from Microsoft.微软的文档。
Windows Firewall processes rules in an ordered determined by rule type, and parsed in the following order:按规则类型确定的顺序处理规则,并按以下顺序进行分析:
By default, the policy in Windows Firewall allows all outbound connections and blocks all incoming connections.默认情况下,Windows防火墙中的策略允许所有出站连接,并阻止所有入站连接。
Given the default ports of all MongoDB processes, you must configure networking rules that permit onlyrequired communication between your application and the appropriate 考虑到所有MongoDB进程的默认端口,您必须配置网络规则,只允许应用程序与相应的exe and exe instances.exe和exe实例之间进行必要的通信。
The configuration changes outlined in this document will create rules which explicitly allow traffic from specific addresses and on specific ports, using a default policy that drops all traffic that is not explicitly allowed.本文档中概述的配置更改将创建明确允许来自特定地址和特定端口的流量的规则,使用默认策略删除所有不明确允许的流量。
You can configure the Windows Firewall with using the 您可以使用netsh命令行工具或通过Windows应用程序配置Windows防火墙。netsh command line tool or through a windows application. On Windows Server 2008 this application is Windows Firewall With Advanced Security in Administrative Tools. 在Windows Server 2008上,此应用程序是Windows防火墙,在管理工具中具有高级安全性。On previous versions of Windows Server, access the Windows Firewall application in the System and Security control panel.在以前版本的Windows Server上,访问系统和安全控制面板中的Windows防火墙应用程序。
The procedures in this document use the 本文档中的过程使用netsh command line tool.netsh命令行工具。
This section contains a number of patterns and examples for configuring Windows Firewall for use with MongoDB deployments. 本节包含许多配置Windows防火墙以用于MongoDB部署的模式和示例。If you have configured different ports using the 如果使用端口配置设置配置了不同的端口,则需要相应地修改规则。port configuration setting, you will need to modify the rules accordingly.
mongod.exe Instancesmongod.exe实例的流量This pattern is applicable to all 此模式适用于作为独立实例或副本集的一部分运行的所有exe instances running as standalone instances or as part of a replica set. exe实例。The goal of this pattern is to explicitly allow traffic to the 此模式的目标是显式地允许从应用服务器到exe instance from the application server.exe实例的通信。
netsh advfirewall firewall add rule name="Open mongod port 27017" dir=in action=allow protocol=TCP localport=27017
This rule allows all incoming traffic to port 此规则允许将所有传入流量发送到端口27017, which allows the application server to connect to the exe instance.27017,从而允许应用程序服务器连接到exe实例。
Windows Firewall also allows enabling network access for an entire application rather than to a specific port, as in the following example:还允许为整个应用程序而不是特定端口启用网络访问,如以下示例所示:
netsh advfirewall firewall add rule name="Allowing mongod" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongod.exe"
You can allow all access for a 通过以下调用,可以允许对exe server, with the following invocation:exe服务器进行所有访问:
netsh advfirewall firewall add rule name="Allowing mongos" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongos.exe"
mongos.exe Instancesmongos.exe实例的流量exe instances provide query routing for sharded clusters. 实例为分片集群提供查询路由。Clients connect to 客户端连接到exe instances, which behave from the client's perspective as exe instances. exe实例,从客户端的角度来看,exe实例的行为与exe实例相同。In turn, the 反过来,exe connects to all exe instances that are components of the sharded cluster.exe将连接到作为分片集群组件的所有exe实例。
Use the same Windows Firewall command to allow traffic to and from these instances as you would from the 使用相同的Windows Firewall命令来允许与这些实例之间的通信,就像来自复制集成员的exe instances that are members of the replica set.exe实例一样。
netsh advfirewall firewall add rule name="Open mongod shard port 27018" dir=in action=allow protocol=TCP localport=27018
Configuration servers, host the config database that stores metadata for sharded clusters. 配置服务器托管存储分片集群元数据的配置数据库。Each production cluster has three configuration servers, initiated using the 每个生产集群都有三个配置服务器,使用mongod --configsvr option. mongod --configsvr选项启动。[1] Configuration servers listen for connections on port 配置服务器侦听端口27019上的连接。27019. As a result, add the following Windows Firewall rules to the config server to allow incoming and outgoing connection on port 因此,将以下Windows防火墙规则添加到配置服务器,以允许在端口27019, for connection to the other config servers.27019上进行传入和传出连接,以便连接到其他配置服务器。
netsh advfirewall firewall add rule name="Open mongod config svr port 27019" dir=in action=allow protocol=TCP localport=27019
Additionally, config servers need to allow incoming connections from all of the 此外,配置服务器需要允许来自集群中所有exe instances in the cluster and all exe instances in the cluster. exe实例和集群中所有exe实例的传入连接。Add rules that resemble the following:添加类似以下内容的规则:
netsh advfirewall firewall add rule name="Open mongod config svr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27019
Replace 用<ip-address> with the addresses of the exe instances and the shard exe instances.exe实例和分片exe实例的地址替换<ip address>。
| [1] | configsvr value for the clusterRole setting in a configuration file.clusterRole设置的configsvr值来运行配置服务器。 |
For shard servers, running as 对于以mongod --shardsvr[2] Because the default port number is 27018 when running with the shardsvr value for the clusterRole setting, you must configure the following Windows Firewall rules to allow traffic to and from each shard:mongod --shardsvr[2]运行的分片服务器,由于在使用clusterRole设置的shardsvr值运行时,默认端口号为27018,因此必须配置以下Windows防火墙规则,以允许每个分片之间的通信:
netsh advfirewall firewall add rule name="Open mongod shardsvr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27018 netsh advfirewall firewall add rule name="Open mongod shardsvr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
Replace the 用所有<ip-address> specification with the IP address of all exe instances. exe实例的ip地址替换<ip address>规范。This allows you to permit incoming and outgoing traffic between all shards including constituent replica set members to:这允许您允许所有分片(包括组成副本集成员)之间的传入和传出流量:
exe instances in the shard's replica sets.exe实例。exe instances in other shards. exe实例。[3]Furthermore, shards need to be able make outgoing connections to:此外,分片需要能够与以下设备建立传出连接:
Create a rule that resembles the following, and replace the 创建类似于以下内容的规则,并用配置服务器和<ip-address> with the address of the config servers and the exe instances:exe实例的地址替换<ip-address>:
netsh advfirewall firewall add rule name="Open mongod config svr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
| [2] | shardsvr value for the clusterRole setting in the configuration file. clusterRole设置指定带有shardsvr值的shard server选项。 |
| [3] | |
The mongostat diagnostic tool, when running with the --discover needs to be able to reach all components of a cluster, including the config servers, the shard servers, and the exe instances.mongostat诊断工具在使用--discover运行时,需要能够访问集群的所有组件,包括配置服务器、分片服务器和exe实例。
Changed in version 3.6.在版本3.6中更改。
This section contains a number of basic operations for managing and using 本节包含管理和使用netsh. netsh的一些基本操作。While you can use the GUI front ends to manage the Windows Firewall, all core functionality is accessible is accessible from 虽然可以使用GUI前端管理Windows防火墙,但所有核心功能都可以从netsh.netsh访问。
To delete the firewall rule allowing 要删除允许exe traffic:exe通信的防火墙规则,请执行以下操作:
netsh advfirewall firewall delete rule name="Open mongod port 27017" protocol=tcp localport=27017 netsh advfirewall firewall delete rule name="Open mongod shard port 27018" protocol=tcp localport=27018
To return a list of all Windows Firewall rules:要返回所有Windows防火墙规则的列表,请执行以下操作:
netsh advfirewall firewall show rule name=all
To reset the Windows Firewall rules:要重置Windows防火墙规则,请执行以下操作:
netsh advfirewall reset
To simplify administration of larger collection of systems, you can export or import firewall systems from different servers) rules very easily on Windows:为了简化更大系统集合的管理,您可以在Windows上非常轻松地从不同服务器导出或导入防火墙系统)规则:
Export all firewall rules with the following command:使用以下命令导出所有防火墙规则:
netsh advfirewall export "C:\temp\MongoDBfw.wfw"
Replace 将"C:\temp\MongoDBfw.wfw" with a path of your choosing. "C:\temp\MongoDBfw.wfw"替换为您选择的路径。You can use a command in the following form to import a file created using this operation:可以使用以下形式的命令导入使用此操作创建的文件:
netsh advfirewall import "C:\temp\MongoDBfw.wfw"