[AG-TECH] Clarification of firewall requirements for AG

R. P. C. Rodgers rodgers at arborvitae.com
Wed Nov 19 20:40:42 CST 2008 

Dear AG Colleagues,

I am trying to configure a small SonicWall network security appliance to 
allow Access Grid to
work well.  I am using a cable broadband provider that does not support 
multicast, wo will be
using bridges.  Before proceeding I wanted to seek wider advice.  
Several year ago I exracted a list
of ports/services from the excellent document put together at Manchester 
in 2005 by Javier Gomez
Alonso (http://www.accessgrid.org/agdp/guide/ports.html).  To boil it 
down to its essence, it looks
something like this:

   port 8000/TCP for venue server
   port 8002/TCP event
   port 8004/TCP text
   port 8006/TCP data
   port 5222/TCP Jabber server
   port 7777/TCP NCSA Jabber server
   port 4561/TCP for distributed powerpoint server
   port 5001/TCP for distributed powerpoint server
     [subtotal: 9]
   ports 5800-5999 for VNC server
     [subtotal: 200]
   ports 49152-65535  for unicast bridge
     [subtotal: 16384]
     [grand total: 16593]

of which I was assuming one could ignore all but 5800-5999 and 
49152-65535 because
in other cases the connection is established by the client coming into 
the server (though I'm not at
all certain of this in the case of shared powerpoint, or for all of the 
800x ports).  But its not
clear if one really needs ALL of these ports.  To further confuse 
things, there is a document
at: http://www.accessgrid.org/node/898
which states that the following firewall rules are required:

    * Accept all traffic from localhost (Required for things like rat, etc)
    * Accept all multicast traffic (224.0.0.0/4)
    * Accept all port 21 traffic (FTP)
    * Accept all port 22 traffic (SSH)
    * Accept all port 80 traffic (HTTP)
    * Accept all port 443 traffic (TLS/SSL)
    * Accept all port 631 traffic (IPP)
    * Accept all port 5353 traffic (Multicast DNS)
    * Accept icmp traffic (ping)
    * Accept traffic from ports 5900-5920 (Required for VenueVNC)
    * Accept traffic from ports 8000, 8002 and 8004 (Required for
      Multicast Beacon)
    * Accept traffic from ports 10000, 10002 and 10004 (Required for
      VenueServer)
    * Accept traffic from ports 11000, 11100 (Required for NodeService
      Manager)
    * Accept traffic from ports 20000-20020 (Required for BridgeServer)

which is quite at variance with my list, even discounting the fact that 
many of the above
rules seem concerned not with AG but with standard services that might 
be of interest
at that site.  This may reflect misunderstandings on the part of me, the 
second source, or both.
Anyone have suggestions as to how best to proceed?

Thanks in advance for any helpful guidance.

Thanks and Best Regards, Rick Rodgers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20081119/86b323e7/attachment.htm>

More information about the ag-tech mailing list