Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)
For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is critical for high-throughput NVMe-TCP storage.
Why disable filtering on storage interfaces:
-
CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles
-
Performance impact: At high IOPS (millions with NVMe-TCP), filtering overhead becomes significant
-
Network isolation: Dedicated storage VLANs provide security at the network layer
-
Simplicity: No port rules to maintain for storage traffic
# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=trusted --list-all
Option 2: Port Filtering (For Shared or Non-Isolated Networks)
Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.
Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.
Using firewalld (SLES 15+/openSUSE)
# Allow NVMe-TCP ports
# Port 4420 = Data port (connections)
# Port 8009 = Discovery port (optional, for nvme discover)
sudo firewall-cmd --permanent --add-port=4420/tcp
sudo firewall-cmd --permanent --add-port=8009/tcp
# Reload firewall
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-ports
Rich rules for advanced filtering
# Allow NVMe-TCP only from specific subnet
sudo firewall-cmd --permanent --zone=storage --add-rich-rule='
rule family="ipv4"
source address="10.100.1.0/24"
port protocol="tcp" port="4420" accept'
sudo firewall-cmd --permanent --zone=storage --add-rich-rule='
rule family="ipv4"
source address="10.100.1.0/24"
port protocol="tcp" port="8009" accept'
# Reload
sudo firewall-cmd --reload
Using YaST Firewall
# Launch YaST firewall module
sudo yast2 firewall
# Or command-line (4420 = data, 8009 = discovery)
sudo yast firewall services add tcpport=4420 zone=EXT
sudo yast firewall services add tcpport=8009 zone=EXT