[Swift-user] using swift in an IP-impoverished environment

Mihael Hategan hategan at mcs.anl.gov
Fri Feb 20 13:36:09 CST 2009 

----- Andriy Fedorov <fedorov at cs.wm.edu> wrote:
> > On Fri, 2009-02-20 at 15:59 +0000, Ben Clifford wrote:
> >> > 2. Run behind NAT/Firewall. I found a document describing client-side
> >> > reqs for this kind of situation here
> >> > (http://dev.globus.org/wiki/FirewallHowTo section called "Network
> >> > Address Translation (NAT)").
> >> > Does anyone have experience in running swift in this mode?
> >>
> >> I've never run it from behind a NAT.
> >>
> >
> > I do that fairly often.
> >
> > It involves forwarding a range of ports (a hundred of them or more) to
> > your "submit" machine, setting GLOBUS_TCP_PORT_RANGE to that range and
> > making sure that GLOBUS_HOSTNAME has your external IP address.
> >
> 
> Mihael,
> 
> I am not familiar at all with NAT, but I have a similar configuration
> of the network, with all organization hosts behind the firewall, and
> with no control over firewall configuration.

That may be a problem.

There are two scenarios I have successfully used:
1. i2u2.org lives behind the Argonne firewall. We have ports 50000 to 
50100 (I think) open for the server that runs swift. This involves no
NAT
2. At home, I have a router with firewall and NAT. I routinely run swift
from my laptop, which has a private IP address. I convince the router
to forward all requests on ports 50000 to 50100 to my internal laptop
IP, and I set the globus callback IP to the external (modem) IP. I have
been employing this scheme for years (before Swift with cog and globus).
However, you need the ability to at least ask for a range of ports to 
be forwarded to your Swift machine automatically.

> I thought it is not
> possible to run swift client with full functionality supported in such
> an environment. In my organization, in order to log to a host from
> outside, I need to first ge authenticated with the gatekeeper host,
> which will next allow me to log on an intranet host.
> 
> It seems to me unlikely that it is possible to configure a host behind
> a firewall in such a way that allows direct connection to that host
> avoiding the firewall. Seems like a security breach... 

It is a security breach as much as explicitly allowing swift to function
is a security breach.

> Unless NAT has
> to be configured on the firewall host, which is not an option for me.
> 
> If I was wrong, could you give some more details on how something like
> this can be configured with NAT or anything else?

There is also SSH tunneling. You could create an SSH tunnel to an outside
machine with its own IP and no firewall (on a range of ports) and forward
that range of ports to your swift machine. Conceptually, it's the same
scheme, except instead of control over the firewall and port forwarding, 
you need (limited) control of an outside machine. But then you could run
swift on the external machine to begin with.

As for this potentially being labeled a "security breach", I can probably
say that changing the odds of a security breach occurring (and they are never
zero) is not the same as a security breach occurring.

More information about the Swift-user mailing list