Redis Software runs multiple internal and client-facing services that must traverse your host firewall. This guide walks you through configuring firewalld on CentOS / RHEL so those services stay reachable and secure. You’ll review default behavior, learn about the built-in redislabs and redislabs-clients services, run automatic or manual rule setup, reference the full Port Matrix, and solve common connectivity issues. Jump to Prerequisites, Default Behavior, Advanced Settings & Port Reference, Troubleshooting, or Additional Resources.
Prerequisites
- Root or sudo access to the CentOS/RHEL host that will run RLEC.
- Redis Software installed or staged (installer creates firewalld services).
Default firewalld Behavior
- Firewalld controls iptables rules with zones and services; the public zone is used by default.
- All inbound ports are blocked except 22/tcp (SSH).
- Auto-configuration does not harden the OS—add security groups, host hardening, or external firewalls for full defense-in-depth protection.
Built-in firewalld Services Created by RLEC
| Service | Purpose | Ports (default) | Location of XML definition |
|---|---|---|---|
redislabs |
Internal cluster traffic, management layer, replication, Prometheus | 8443, 8070, 3333-3339, 10 000-19 999, ICMP | /etc/firewalld/services/redislabs.xml |
redislabs-clients |
Client-to-cluster traffic | Same database range (10 000-19 999) | /etc/firewalld/services/redislabs-clients.xml |
Automatic Configuration During Installation
Most administrators answer “Yes” to the installer prompt that adds redislabs to the public zone:
- This opens all ports defined in
redislabs.xml(internal traffic). -
Client access is not opened automatically—add
redislabs-clientsyourself if external applications connect through the host firewall. - Remember: automatic rules do not replace OS hardening.
Manual Configuration Steps
1. Allow built-in Redis services
2. Open custom or re-mapped ports (if used)
sudo firewall-cmd --permanent --zone=public --add-port=<PORT>/tcp sudo firewall-cmd --reload
3. Verify results
4. (Optional) Use the GUI – Launch firewall-config for a point-and-click alternative.
Advanced Settings & Port Reference
Port Matrix (quick glance)
- Database traffic: 10 000-19 999/tcp
-
Web UI (Cluster Manager): 8443/tcp (change with
rladmin cluster config cm_port <new-port>→ remember to open it!) - Prometheus endpoint: 8070/tcp
- Internal transport & HA: 3333-3339/tcp
- Health checks: ICMP Echo between nodes (allow in security groups where applicable)
See the complete table in Network port configurations (Redis docs) before finalizing rules.
Custom installation directories
If you installed RLEC with --install-dir or --config-dir, firewalld service XML files are still written to /etc/firewalld/services/. Make sure that directory is writable, included in backups, and monitored for drift.
Troubleshooting firewalld and RLEC Connectivity
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Cannot connect from clients |
redislabs-clients not open |
Add service to appropriate zone. |
| Cluster node join fails | Inter-node ports blocked | Confirm redislabs service and ICMP reachability. |
| Web-UI moved to another port (e.g., 9443) | Port not open in firewalld |
firewall-cmd --add-port=9443/tcp. |
firewalld fails to add redislabs on RHEL 9
|
File-permission bug before 7.4.2-129 | Upgrade to ≥ 7.4.2-129 or chmod 644 /etc/firewalld/services/*.xml. |
| Using non-standard DB ports | Custom ports not allowed | Add each port with --add-port. |
| Rules revert after reboot | firewalld not in permanent mode | Re-apply with --permanent then --reload. |
Additional checks
- Verify CPU, RAM, and disk aren’t saturated; resource pressure can mimic network drops.
- Confirm no external firewall, SELinux policy, or antivirus is overriding
firewalld. - Review
/var/log/firewalldfor rule-loading errors.
0 comments
Please sign in to leave a comment.