[AG-TECH] Clarification of firewall requirements for AG

Jason Bell j.bell at cqu.edu.au
Sun Nov 23 20:05:41 CST 2008


G'day Rick, Ben and all

 

In regards to the http://www.accessgrid.org/node/898  document, I
produced this to assist with setting up a firewall on a Linux system,
but the same ports can be used on any type of firewall.

 

I would also suggest that a number of these port are quite important,
such as VenueVNC Port (This is required if you want to run a VenueVNC
Server).  Another one that might be useful for running a multicast
beacon.

 

Anyway, that document includes all of the ports I use on a system myself
personally.

 

I am just about to undertake an update of this document (And remove
anything to do with AG2) for the new Fedora 10 install guide and will
investigate the various ports stated below.

 

Additionally, my colleagues at ARCS (Australian Research Collaboration
Service), with previous work from Tom are working on a networking
document as we speak.  It is hoped to have this document up on the AG
website by the end of the week.  Hopefully this will also be of use.

 

Best regards,

Jason.

 

 

From: Ben Green [mailto:ben.green at manchester.ac.uk] 
Sent: Thursday, 20 November 2008 07:54 PM
To: R. P. C. Rodgers; ag-tech
Subject: RE: [AG-TECH] Clarification of firewall requirements for AG

 

Hi Rick,

 

To get AG toolkit working on a unicast network, you only need to have
the following ports configured:

 

8000 TCP Virtual Venue Server Port 

8002 TCP Event Port 

5223 TCP Text Port 

8006 TCP Data Port 

47000 UDP Internal Rat -Internal Port 

50000-50020 TCP Data Transfer Port 

10000-10999 UDP

1992 TCP Bridge Listening Port 

8030 TCP Bridge Registry Peer

 

The above info comes from our firewall web page:

 

http://www.ja.net/services/video/agsc/technical-information/porttable.ht
ml

 

If you're installing Toolkit on Windows XP, you may find the following
document useful:

 

http://www.ja.net/documents/services/video/installingagtkonwindows_000.p
df

 

I think a lot of the ports you've mention below are specific to other
applications that are not necessary, i.e. VNC, FTP, SSH etc..

 

And the info is quite old, so it may actually refer to AG Toolkit v2.x -
you should be using v3.1 stable release.

 

Cheers, Ben.

 

-----------------------------------------
Ben Green

Access Grid Support Centre
Research Computing Services
University of Manchester
Room 73A, Devonshire House, Precinct Centre,
Oxford Road, Manchester, M13 9PL
tel: +44 (0)161 306 6621
fax: +44 (0)161 275 6120
email - ben.green at manchester.ac.uk
web - www.agsc.ja.net
-----------------------------------

 

________________________________

From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
Behalf Of R. P. C. Rodgers
Sent: 20 November 2008 02:41
To: ag-tech
Subject: [AG-TECH] Clarification of firewall requirements for AG

Dear AG Colleagues,

I am trying to configure a small SonicWall network security appliance to
allow Access Grid to
work well.  I am using a cable broadband provider that does not support
multicast, wo will be
using bridges.  Before proceeding I wanted to seek wider advice.
Several year ago I exracted a list
of ports/services from the excellent document put together at Manchester
in 2005 by Javier Gomez
Alonso (http://www.accessgrid.org/agdp/guide/ports.html).  To boil it
down to its essence, it looks
something like this:

   port 8000/TCP for venue server
   port 8002/TCP event
   port 8004/TCP text
   port 8006/TCP data
   port 5222/TCP Jabber server
   port 7777/TCP NCSA Jabber server
   port 4561/TCP for distributed powerpoint server
   port 5001/TCP for distributed powerpoint server
     [subtotal: 9]
   ports 5800-5999 for VNC server
     [subtotal: 200]
   ports 49152-65535  for unicast bridge
     [subtotal: 16384]
     [grand total: 16593]

of which I was assuming one could ignore all but 5800-5999 and
49152-65535 because
in other cases the connection is established by the client coming into
the server (though I'm not at
all certain of this in the case of shared powerpoint, or for all of the
800x ports).  But its not
clear if one really needs ALL of these ports.  To further confuse
things, there is a document
at: http://www.accessgrid.org/node/898
which states that the following firewall rules are required:

*	Accept all traffic from localhost (Required for things like rat,
etc) 
*	Accept all multicast traffic (224.0.0.0/4) 
*	Accept all port 21 traffic (FTP) 
*	Accept all port 22 traffic (SSH) 
*	Accept all port 80 traffic (HTTP) 
*	Accept all port 443 traffic (TLS/SSL) 
*	Accept all port 631 traffic (IPP) 
*	Accept all port 5353 traffic (Multicast DNS) 
*	Accept icmp traffic (ping) 
*	Accept traffic from ports 5900-5920 (Required for VenueVNC) 
*	Accept traffic from ports 8000, 8002 and 8004 (Required for
Multicast Beacon) 
*	Accept traffic from ports 10000, 10002 and 10004 (Required for
VenueServer) 
*	Accept traffic from ports 11000, 11100 (Required for NodeService
Manager) 
*	Accept traffic from ports 20000-20020 (Required for
BridgeServer) 

which is quite at variance with my list, even discounting the fact that
many of the above
rules seem concerned not with AG but with standard services that might
be of interest
at that site.  This may reflect misunderstandings on the part of me, the
second source, or both.
Anyone have suggestions as to how best to proceed?

Thanks in advance for any helpful guidance.

Thanks and Best Regards, Rick Rodgers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20081124/cd95c240/attachment.htm>


More information about the ag-tech mailing list