[AG-TECH] NCSA Venues and port usage

Brian Corrie bcorrie at sfu.ca
Wed Jan 31 12:40:10 CST 2007


Hi Michael,

We run a venueserver and run it within limited port ranges so that it is 
easier to manage firewalls. In general I think this is a good idea.

On our firewalls, we typically open up to specific machines and/or to 
specific ports on those machines. I think that our firewalls are open to 
connect to the NCSA bridge machine and venueserver on an IP number basis 
(all ports or at least a very large range of ports). This is the same 
for Argonne, the AGSC, and others... If we could limit the ports to a 
small fixed set of ports so we could clamp down on the firewall that 
would be much better from a security standpoint.

I think the only issue is how often would there be changes in the IP 
number and ports used. Whenever this happens, anyone that has firewall 
setting that enables AG will need to make changes, which is a 
significant impact on the community. Thus you probably want to use a 
port range that is large enough to include room for growth and change 
but not too large to be a huge hole. Our servers currently use a port 
range that spans 200 ports... The important thing is to minimize the 
number of changes so that firewalls only need to changed very rarely.

In terms of use of firewalls, we have some sites that do nothing and 
some that only open up the IP number and ports for a given bridge server 
and a given AG venue. They know they only use that room, and therefore 
they only open up those four ports to a specific bridge machine. Thus 
static ports on a per venue basis isn't a bad thing either...

Cheers,

Brian

Michael Miller wrote:
> We are considering consolidating the ports used on the NCSA AG Venue 
> Servers into a consecutive range of ports.  We wanted to find out how 
> the AG community is currently dealing with firewalls and the ports used 
> for AG and what can be done to make a change like this go smoothly.  We 
> are wondering how ports and multicast IPs were selected in the past as 
> well as who might be considering setting up venue servers in the near 
> future.
> 
> We welcome your comments.
> 
> Michael Miller
> NCSA
> 




More information about the ag-tech mailing list