<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.style8
{mso-style-name:style8;}
span.style1
{mso-style-name:style1;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:254826165;
mso-list-template-ids:1780235668;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>G’day Rick, Ben and all<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In regards to the </span><a
href="http://www.accessgrid.org/node/898">http://www.accessgrid.org/node/898</a><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> document,
I produced this to assist with setting up a firewall on a Linux system, but the
same ports can be used on any type of firewall.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I would also suggest that a number of these port are quite
important, such as VenueVNC Port (This is required if you want to run a VenueVNC
Server). Another one that might be useful for running a multicast beacon.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Anyway, that document includes all of the ports I use on a
system myself personally.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I am just about to undertake an update of this document (And
remove anything to do with AG2) for the new Fedora 10 install guide and will
investigate the various ports stated below.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Additionally, my colleagues at ARCS (Australian Research
Collaboration Service), with previous work from Tom are working on a networking
document as we speak. It is hoped to have this document up on the AG
website by the end of the week. Hopefully this will also be of use.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Best regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Jason.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>
Ben Green [mailto:ben.green@manchester.ac.uk] <br>
<b>Sent:</b> Thursday, 20 November 2008 07:54 PM<br>
<b>To:</b> R. P. C. Rodgers; ag-tech<br>
<b>Subject:</b> RE: [AG-TECH] Clarification of firewall requirements for AG<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Hi Rick,</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>To get AG toolkit working on a unicast network, you only need
to have the following ports configured:</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>8000 TCP</span> <span class=style1>Virtual
Venue Server Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>8002 TCP</span> <span class=style1>Event
Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>5223 TCP</span> <span class=style1>Text
Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>8006 TCP Data Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>47000 UDP</span> <span class=style1>Internal</span>
<span class=style1>Rat -Internal Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>50000-50020 TCP Data Transfer Port</span>
<o:p></o:p></p>
<p class=MsoNormal><span class=style1>10000-10999 UDP</span><o:p></o:p></p>
<p class=MsoNormal><span class=style1>1992 TCP Bridge Listening Port</span> <o:p></o:p></p>
<p class=MsoNormal><span class=style1>8030 TCP Bridge Registry Peer</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>The above info comes from our firewall web page:</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'><a
href="http://www.ja.net/services/video/agsc/technical-information/porttable.html">http://www.ja.net/services/video/agsc/technical-information/porttable.html</a></span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>If you're installing Toolkit on Windows XP, you may find
the following document useful:</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'><a
href="http://www.ja.net/documents/services/video/installingagtkonwindows_000.pdf">http://www.ja.net/documents/services/video/installingagtkonwindows_000.pdf</a></span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I think a lot of the ports you've mention below are specific to
other applications that are not necessary, i.e. VNC, FTP, SSH etc..</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>And the info is quite old, so it may actually refer to AG Toolkit
v2.x - you should be using v3.1 stable release.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Cheers, Ben.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p><span style='font-size:10.0pt'>-----------------------------------------<br>
Ben Green<br>
<br>
Access Grid Support Centre<br>
Research Computing Services<br>
University of Manchester<br>
Room 73A, Devonshire House, Precinct Centre,<br>
Oxford Road, Manchester, M13 9PL<br>
tel: +44 (0)161 306 6621<br>
fax: +44 (0)161 275 6120<br>
email - ben.green@manchester.ac.uk<br>
web - www.agsc.ja.net<br>
-----------------------------------</span><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'><span lang=EN-US>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span lang=EN-US
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owner-ag-tech@mcs.anl.gov [mailto:owner-ag-tech@mcs.anl.gov] <b>On Behalf Of </b>R.
P. C. Rodgers<br>
<b>Sent:</b> 20 November 2008 02:41<br>
<b>To:</b> ag-tech<br>
<b>Subject:</b> [AG-TECH] Clarification of firewall requirements for AG</span><span
lang=EN-US><o:p></o:p></span></p>
<p class=MsoNormal>Dear AG Colleagues,<br>
<br>
I am trying to configure a small SonicWall network security appliance to allow
Access Grid to<br>
work well. I am using a cable broadband provider that does not support
multicast, wo will be<br>
using bridges. Before proceeding I wanted to seek wider advice.
Several year ago I exracted a list<br>
of ports/services from the excellent document put together at Manchester in
2005 by Javier Gomez<br>
Alonso (<a href="http://www.accessgrid.org/agdp/guide/ports.html">http://www.accessgrid.org/agdp/guide/ports.html</a>).
To boil it down to its essence, it looks<br>
something like this:<br>
<br>
port 8000/TCP for venue server<br>
port 8002/TCP event<br>
port 8004/TCP text<br>
port 8006/TCP data<br>
port 5222/TCP Jabber server<br>
port 7777/TCP NCSA Jabber server<br>
port 4561/TCP for distributed powerpoint server<br>
port 5001/TCP for distributed powerpoint server<br>
[subtotal: 9]<br>
ports 5800-5999 for VNC server<br>
[subtotal: 200]<br>
ports 49152-65535 for unicast bridge<br>
[subtotal: 16384]<br>
[grand total: 16593]<br>
<br>
of which I was assuming one could ignore all but 5800-5999 and 49152-65535
because<br>
in other cases the connection is established by the client coming into the
server (though I'm not at<br>
all certain of this in the case of shared powerpoint, or for all of the 800x
ports). But its not<br>
clear if one really needs ALL of these ports. To further confuse things,
there is a document<br>
at: <a href="http://www.accessgrid.org/node/898">http://www.accessgrid.org/node/898</a><br>
which states that the following firewall rules are required:<o:p></o:p></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all traffic from localhost (Required for
things like rat, etc) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all multicast traffic (224.0.0.0/4) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 21 traffic (FTP) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 22 traffic (SSH) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 80 traffic (HTTP) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 443 traffic (TLS/SSL) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 631 traffic (IPP) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept all port 5353 traffic (Multicast DNS) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept icmp traffic (ping) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept traffic from ports 5900-5920 (Required for
VenueVNC) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept traffic from ports 8000, 8002 and 8004
(Required for Multicast Beacon) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept traffic from ports 10000, 10002 and 10004
(Required for VenueServer) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept traffic from ports 11000, 11100 (Required
for NodeService Manager) <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Accept traffic from ports 20000-20020 (Required
for BridgeServer) <o:p></o:p></li>
</ul>
<p class=MsoNormal style='margin-bottom:12.0pt'>which is quite at variance with
my list, even discounting the fact that many of the above<br>
rules seem concerned not with AG but with standard services that might be of
interest<br>
at that site. This may reflect misunderstandings on the part of me, the
second source, or both.<br>
Anyone have suggestions as to how best to proceed?<br>
<br>
Thanks in advance for any helpful guidance.<br>
<br>
Thanks and Best Regards, Rick Rodgers<o:p></o:p></p>
</div>
</body>
</html>