NOTE: Shorewall provides a NAT Masquerade rule that allows the compute nodes to access networks that are outside the cluster via the head node. If you are okay with the compute nodes not having access to external networks or aren’t using the head node as the default gateway for the compute nodes, then you may follow these procedures to disable shorewall on your head node.
First, run the following commands on your head node to prevent Bright from automatically restarting shorewall:
# cmsh
% device use master
% services
% set shorewall autostart no
% set shorewall6 autostart no
% commit
NOTE: Before stopping the shorewall and shorewall6 services, if the cluster’s head node has any network-mounted file systems (e. g. NFS) mounted, you will want to unmount those file systems from the head node; otherwise, if you get locked out of the head node when following the below procedures, then you may not be able to log in to the head node’s console due to the operating system hanging on trying to access a network-mounted file system.
Next, stop and disable both shorewall services using Bright. Please note that if you stop the services outside of Bright (e. g. via the systemctl utility), then Bright will restart those services during a future reboot of the head node:
# cmsh
% device use master
% services
% stop shorewall
% stop shorewall6
Then, flush the iptables rules and set the default policy on each chain to be ACCEPT:
# iptables -F INPUT && iptables -P INPUT ACCEPT
# iptables -F FORWARD && iptables -P FORWARD ACCEPT
# iptables -F OUTPUT && iptables -P OUTPUT ACCEPT