Two node cluster recently installed; it came with 9.5P1 and was later updated to 9.5P6. Starting with 9.4 portmapper (port 111) is normally blocked by mgmt firewall policy. To my surprise I found that on one node port 111 is globally allowed, while on another node it is only allowed on LIFs with data firewall policy:
ff-cdot01% sudo ipfw list | grep 111
00001 allow log ip from any to any dst-port 111 in
00001 allow log ip from any 111 to any out
00105 allow log ip4 from any to 10.197.2.2 dst-port 111 in
00105 allow log ip4 from any 111 10.197.2.2 to any out
ff-cdot01%
ff-cdot02% sudo ipfw list | grep 111
00102 allow log ip4 from any to 10.197.2.5 dst-port 111 in
00102 allow log ip4 from any 111 10.197.2.5 to any out
ff-cdot02%
Could somebody explain how it could happen? How can I "fix" it to match normal default 9.5 behavior?
And more importantly - at this point I am unsure what else can differ between two nodes. Is there any way to verify configuration consistency?