On Windows Server systems, the 在Windows Server系统上,netsh program provides methods for managing the Windows Firewall. These firewall rules make it possible for administrators to control what hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a system.netsh程序提供了管理Windows防火墙的方法。这些防火墙规则使管理员能够控制哪些主机可以连接到系统,并通过限制可以连接到一个系统的主机来限制风险暴露。
This document outlines basic Windows Firewall configurations. Use these approaches as a starting point for your larger networking organization. For a detailed over view of security practices and risk management for MongoDB, see Security.本文档概述了基本的Windows防火墙配置。将这些方法作为大型网络组织的起点。有关MongoDB安全实践和风险管理的详细概述,请参阅安全。
Tip
Windows Firewall documentation from Microsoft.Microsoft的Windows防火墙文档。
Overview概述
Windows Firewall processes rules in an ordered determined by rule type, and parsed in the following order:Windows防火墙按规则类型确定的顺序处理规则,并按以下顺序解析:
Windows Service HardeningWindows服务强化Connection security rules连接安全规则Authenticated Bypass Rules经过身份验证的绕过规则Block Rules阻止规则Allow Rules允许规则Default Rules默认规则
By default, the policy in Windows Firewall allows all outbound connections and blocks all incoming connections.默认情况下,Windows防火墙中的策略允许所有出站连接并阻止所有传入连接。
Given the default ports of all MongoDB processes, you must configure networking rules that permit only required communication between your application and the appropriate 给定所有MongoDB进程的默认端口,您必须配置网络规则,只允许应用程序与相应的mongod.exe and mongos.exe instances.mongod.exe和mongos.exe实例之间进行所需的通信。
The configuration changes outlined in this document will create rules which explicitly allow traffic from specific addresses and on specific ports, using a default policy that drops all traffic that is not explicitly allowed.本文档中概述的配置更改将创建规则,明确允许来自特定地址和特定端口的流量,使用默认策略删除所有未明确允许的流量。
You can configure the Windows Firewall with using the 您可以使用netsh command line tool or through a windows application. On Windows Server 2008 this application is Windows Firewall With Advanced Security in Administrative Tools. On previous versions of Windows Server, access the Windows Firewall application in the System and Security control panel.netsh命令行工具或通过Windows应用程序配置Windows防火墙。在Windows Server 2008上,此应用程序是管理工具中具有高级安全性的Windows防火墙。在早期版本的Windows Server上,访问系统和安全控制面板中的Windows防火墙应用程序。
The procedures in this document use the 本文档中的过程使用netsh command line tool.netsh命令行工具。
Patterns模式
This section contains a number of patterns and examples for configuring Windows Firewall for use with MongoDB deployments. If you have configured different ports using the 本节包含许多模式和示例,用于配置Windows防火墙以用于MongoDB部署。如果使用端口配置设置配置了不同的端口,则需要相应地修改规则。port configuration setting, you will need to modify the rules accordingly.
Traffic to and from mongod.exe Instances往返mongod.exe实例的流量
mongod.exe InstancesThis pattern is applicable to all 此模式适用于作为独立实例或作为副本集的一部分运行的所有mongod.exe instances running as standalone instances or as part of a replica set. mongod.exe实例。The goal of this pattern is to explicitly allow traffic to the 此模式的目标是明确允许从应用程序服务器到mongod.exe instance from the application server.mongod.exe实例的流量。
netsh advfirewall firewall add rule name="Open mongod port 27017" dir=in action=allow protocol=TCP localport=27017This rule allows all incoming traffic to port 此规则允许所有传入流量到端口27017, which allows the application server to connect to the mongod.exe instance.27017,这允许应用程序服务器连接到mongod.exe实例。
Windows Firewall also allows enabling network access for an entire application rather than to a specific port, as in the following example:Windows防火墙还允许为整个应用程序而不是特定端口启用网络访问,如下例所示:
netsh advfirewall firewall add rule name="Allowing mongod" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongod.exe"You can allow all access for a 您可以通过以下调用允许mongos.exe server, with the following invocation:mongos.exe服务器的所有访问:
netsh advfirewall firewall add rule name="Allowing mongos" dir=in action=allow program=" C:\Program Files\MongoDB\Server\3.4\bin\mongos.exe"Traffic to and from mongos.exe Instances往返mongos.exe实例的流量
mongos.exe Instancesmongos.exe instances provide query routing for sharded clusters. mongos.exe实例为分片集群提供查询路由。Clients connect to 客户端连接到mongos.exe instances, which behave from the client's perspective as mongod.exe instances. mongos.exe实例,从客户端的角度来看,这些实例的行为就像mongod.exe实例一样。In turn, the 反过来,mongos.exe connects to all mongod.exe instances that are components of the sharded cluster.mongos.exe连接到作为分片集群组成部分的所有mongod.exe实例。
Use the same Windows Firewall command to allow traffic to and from these instances as you would from the 使用相同的Windows防火墙命令允许这些实例之间的流量,就像允许来自副本集成员mongod.exe instances that are members of the replica set.mongod.exe实例的流量一样。
netsh advfirewall firewall add rule name="Open mongod shard port 27018" dir=in action=allow protocol=TCP localport=27018Traffic to and from a MongoDB Config Server进出MongoDB配置服务器的流量
Configuration servers, host the config database that stores metadata for sharded clusters. 配置服务器,托管存储分片集群元数据的配置数据库。Each production cluster has three configuration servers, initiated using the 每个生产集群都有三个配置服务器,使用mongod --configsvr option. mongod --configsvr选项启动。[1] Configuration servers listen for connections on port 配置服务器监听端口27019. 27019上的连接。As a result, add the following Windows Firewall rules to the config server to allow incoming and outgoing connection on port 因此,将以下Windows防火墙规则添加到配置服务器中,以允许在端口27019, for connection to the other config servers.27019上进行传入和传出连接,从而连接到其他配置服务器。
netsh advfirewall firewall add rule name="Open mongod config svr port 27019" dir=in action=allow protocol=TCP localport=27019Additionally, config servers need to allow incoming connections from all of the 此外,配置服务器需要允许来自集群中所有mongos.exe instances in the cluster and all mongod.exe instances in the cluster. Add rules that resemble the following:mongos.exe实例和集群中所有mongod.exe实例的传入连接。添加类似于以下内容的规则:
netsh advfirewall firewall add rule name="Open mongod config svr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27019Replace 将<ip-address> with the addresses of the mongos.exe instances and the shard mongod.exe instances.<ip-address>替换为mongos.exe实例和分片mongod.exe实例的地址。
| [1] | configsvr value for the clusterRole setting in a configuration file.clusterRole设置的configsvr值来运行配置服务器。 |
Traffic to and from a MongoDB Shard Server往返于MongoDB 分片服务器的流量
For shard servers, running as 对于分片服务器,以mongod --shardsvr [2] Because the default port number is 27018 when running with the shardsvr value for the clusterRole setting, you must configure the following Windows Firewall rules to allow traffic to and from each shard:mongod --shardsvr[2]的身份运行。由于在clusterRole设置中使用shardsvr值运行时,默认端口号为27018,因此必须配置以下Windows防火墙规则,以允许进出每个分片的流量:
netsh advfirewall firewall add rule name="Open mongod shardsvr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27018
netsh advfirewall firewall add rule name="Open mongod shardsvr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018Replace the 将<ip-address> specification with the IP address of all mongod.exe instances. This allows you to permit incoming and outgoing traffic between all shards including constituent replica set members to:<ip-address>规范替换为所有mongod.exe实例的ip地址。这允许您允许所有分片(包括组成副本集的成员)之间的传入和传出流量:
all分片副本集中的所有mongod.exeinstances in the shard's replica sets.mongod.exe实例。all其他分片中的所有mongod.exeinstances in other shards.mongod.exe实例。[3]
Furthermore, shards need to be able make outgoing connections to:此外,分片需要能够与以下对象建立传出连接:
all所有mongos.exeinstances.mongos.exe实例。all配置服务器中的所有mongod.exeinstances in the config servers.mongod.exe实例。
Create a rule that resembles the following, and replace the 创建一个类似于以下内容的规则,并将<ip-address> with the address of the config servers and the mongos.exe instances:<ip-address>替换为配置服务器和mongos.exe实例的地址:
netsh advfirewall firewall add rule name="Open mongod config svr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018| [2] | shardsvr value for the clusterRole setting in the configuration file. Shard members are also often conventional replica sets using the default port.clusterRole设置指定具有shardsvr值的分片服务器选项。分片成员通常也是使用默认端口的传统副本集。 |
| [3] |
Provide Access For Monitoring Systems为监控系统提供访问权限
The mongostat diagnostic tool, when running with the --discover needs to be able to reach all components of a cluster, including the config servers, the shard servers, and the mongos.exe instances.mongostat诊断工具在与--discover一起运行时,需要能够访问集群的所有组件,包括配置服务器、分片服务器和mongos.exe实例。
Manage Windows Firewall Configurations管理Windows防火墙配置
This section contains a number of basic operations for managing and using 本节包含许多管理和使用netsh. While you can use the GUI front ends to manage the Windows Firewall, all core functionality is accessible is accessible from netsh.netsh的基本操作。虽然您可以使用GUI前端管理Windows防火墙,但所有核心功能都可以从netsh访问。
Delete Windows Firewall Rules for Default MongoDB Ports删除默认MongoDB端口的Windows防火墙规则
To delete the firewall rule allowing 要删除允许mongod.exe traffic:mongod.exe流量的防火墙规则,请执行以下操作:
netsh advfirewall firewall delete rule name="Open mongod port 27017" protocol=tcp localport=27017
netsh advfirewall firewall delete rule name="Open mongod shard port 27018" protocol=tcp localport=27018List All Windows Firewall Rules列出所有Windows防火墙规则
To return a list of all Windows Firewall rules:要返回所有Windows防火墙规则的列表,请执行以下操作:
netsh advfirewall firewall show rule name=allReset Windows Firewall重置Windows防火墙
To reset the Windows Firewall rules:要重置Windows防火墙规则,请执行以下操作:
netsh advfirewall resetBackup and Restore Windows Firewall Rules备份和还原Windows防火墙规则
To simplify administration of larger systems, you can export or import Windows Firewall rules.为了简化大型系统的管理,您可以导出或导入Windows防火墙规则。
To export all Windows Firewall rules, run the following command:要导出所有Windows防火墙规则,请运行以下命令:netsh advfirewall export "C:\temp\MongoDBfw.wfw"Replace将"C:\temp\MongoDBfw.wfw"with a path of your choosing."C:\temp\MongoDBfw.wfw"替换为您选择的路径。To import Windows Firewall rules, run the following command:要导入Windows防火墙规则,请运行以下命令:netsh advfirewall import "C:\temp\MongoDBfw.wfw"Replace将"C:\temp\MongoDBfw.wfw"with the path to the file that contains your Windows Firewall rules."C:\temp\MongoDBfw.wfw"替换为包含Windows防火墙规则的文件的路径。