[AG-TECH] Clarification of firewall requirements for AG

Ben Green ben.green at manchester.ac.uk
Thu Nov 20 03:54:26 CST 2008


Hi Rick,
 
To get AG toolkit working on a unicast network, you only need to have the following ports configured:
 
8000 TCP 		Virtual Venue Server Port	 
8002 TCP 		Event Port	 
5223 TCP 		Text Port	 
8006 TCP		Data Port	 
47000 UDP Internal	 	Rat -Internal Port	 
50000-50020 TCP		Data Transfer Port	 
10000-10999 UDP1992 TCP		Bridge Listening Port	 
8030 TCP Bridge Registry Peer
 
The above info comes from our firewall web page:
 
http://www.ja.net/services/video/agsc/technical-information/porttable.html
 
If you're installing Toolkit on Windows XP, you may find the following document useful:
 
http://www.ja.net/documents/services/video/installingagtkonwindows_000.pdf
 
I think a lot of the ports you've mention below are specific to other applications that are not necessary, i.e. VNC, FTP, SSH etc..
 
And the info is quite old, so it may actually refer to AG Toolkit v2.x - you should be using v3.1 stable release.
 
Cheers, Ben.
 
-----------------------------------------
Ben Green

Access Grid Support Centre
Research Computing Services
University of Manchester
Room 73A, Devonshire House, Precinct Centre,
Oxford Road, Manchester, M13 9PL
tel: +44 (0)161 306 6621
fax: +44 (0)161 275 6120
email - ben.green at manchester.ac.uk
web - www.agsc.ja.net
-----------------------------------



________________________________

From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On Behalf Of R. P. C. Rodgers
Sent: 20 November 2008 02:41
To: ag-tech
Subject: [AG-TECH] Clarification of firewall requirements for AG


Dear AG Colleagues,

I am trying to configure a small SonicWall network security appliance to allow Access Grid to
work well.  I am using a cable broadband provider that does not support multicast, wo will be
using bridges.  Before proceeding I wanted to seek wider advice.  Several year ago I exracted a list
of ports/services from the excellent document put together at Manchester in 2005 by Javier Gomez
Alonso (http://www.accessgrid.org/agdp/guide/ports.html).  To boil it down to its essence, it looks
something like this:

   port 8000/TCP for venue server
   port 8002/TCP event
   port 8004/TCP text
   port 8006/TCP data
   port 5222/TCP Jabber server
   port 7777/TCP NCSA Jabber server
   port 4561/TCP for distributed powerpoint server
   port 5001/TCP for distributed powerpoint server
     [subtotal: 9]
   ports 5800-5999 for VNC server
     [subtotal: 200]
   ports 49152-65535  for unicast bridge
     [subtotal: 16384]
     [grand total: 16593]

of which I was assuming one could ignore all but 5800-5999 and 49152-65535 because
in other cases the connection is established by the client coming into the server (though I'm not at
all certain of this in the case of shared powerpoint, or for all of the 800x ports).  But its not
clear if one really needs ALL of these ports.  To further confuse things, there is a document
at: http://www.accessgrid.org/node/898
which states that the following firewall rules are required:


*	Accept all traffic from localhost (Required for things like rat, etc) 
*	Accept all multicast traffic (224.0.0.0/4) 
*	Accept all port 21 traffic (FTP) 
*	Accept all port 22 traffic (SSH) 
*	Accept all port 80 traffic (HTTP) 
*	Accept all port 443 traffic (TLS/SSL) 
*	Accept all port 631 traffic (IPP) 
*	Accept all port 5353 traffic (Multicast DNS) 
*	Accept icmp traffic (ping) 
*	Accept traffic from ports 5900-5920 (Required for VenueVNC) 
*	Accept traffic from ports 8000, 8002 and 8004 (Required for Multicast Beacon) 
*	Accept traffic from ports 10000, 10002 and 10004 (Required for VenueServer) 
*	Accept traffic from ports 11000, 11100 (Required for NodeService Manager) 
*	Accept traffic from ports 20000-20020 (Required for BridgeServer) 

which is quite at variance with my list, even discounting the fact that many of the above
rules seem concerned not with AG but with standard services that might be of interest
at that site.  This may reflect misunderstandings on the part of me, the second source, or both.
Anyone have suggestions as to how best to proceed?

Thanks in advance for any helpful guidance.

Thanks and Best Regards, Rick Rodgers


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20081120/802e6bc1/attachment.htm>


More information about the ag-tech mailing list