[AG-TECH] NCSA Venues and port usage
Brian Corrie
bcorrie at sfu.ca
Wed Jan 31 12:40:10 CST 2007
Hi Michael,
We run a venueserver and run it within limited port ranges so that it is
easier to manage firewalls. In general I think this is a good idea.
On our firewalls, we typically open up to specific machines and/or to
specific ports on those machines. I think that our firewalls are open to
connect to the NCSA bridge machine and venueserver on an IP number basis
(all ports or at least a very large range of ports). This is the same
for Argonne, the AGSC, and others... If we could limit the ports to a
small fixed set of ports so we could clamp down on the firewall that
would be much better from a security standpoint.
I think the only issue is how often would there be changes in the IP
number and ports used. Whenever this happens, anyone that has firewall
setting that enables AG will need to make changes, which is a
significant impact on the community. Thus you probably want to use a
port range that is large enough to include room for growth and change
but not too large to be a huge hole. Our servers currently use a port
range that spans 200 ports... The important thing is to minimize the
number of changes so that firewalls only need to changed very rarely.
In terms of use of firewalls, we have some sites that do nothing and
some that only open up the IP number and ports for a given bridge server
and a given AG venue. They know they only use that room, and therefore
they only open up those four ports to a specific bridge machine. Thus
static ports on a per venue basis isn't a bad thing either...
Cheers,
Brian
Michael Miller wrote:
> We are considering consolidating the ports used on the NCSA AG Venue
> Servers into a consecutive range of ports. We wanted to find out how
> the AG community is currently dealing with firewalls and the ports used
> for AG and what can be done to make a change like this go smoothly. We
> are wondering how ports and multicast IPs were selected in the past as
> well as who might be considering setting up venue servers in the near
> future.
>
> We welcome your comments.
>
> Michael Miller
> NCSA
>
More information about the ag-tech
mailing list