Hi,
I hope it helps:
http://lcgdeploy.cvs.cern.ch/cgi-bin/lcgdeploy.cgi/lcg2/docs/lcg-port-table.pdf
Regards,
Cristina
Dan Schrager wrote:
> Hi Sergio,
>
> Is there a complete and ACTUAL list of PUBLIC lcg services
> (server:port) available ?
> Here we do filter all network connections with a centralized firewall
> so such an information would help me stop guessing about them.
>
> Regards,
> Dan
>
>
>
>
> Sergio Fantinel wrote:
>
>> Kostas,
>> thanks to point out potential vulnerability, but your suggestion
>> to turn off the fmon collector is a little bit drastic!
>> I suggest instead a less invasive solution to isolate the connection
>> only from inside a site with iptables.
>> One can close access as below, where 193.206.185.0/255.255.255.0 need
>> to be substituted by your network and netmask.
>>
>> iptables -A INPUT -p tcp -s 193.206.185.0/255.255.255.0 --dport 12409
>> -j ACCEPT
>> iptables -A INPUT -p tcp --dport 12409 -j REJECT
>> iptables -A INPUT -p udp -s 193.206.185.0/255.255.255.0 --dport 12409
>> -j ACCEPT
>> iptables -A INPUT -p udp --dport 12409 -j REJECT
>>
>> the same thing if you want to block access to the query soap port 12411
>>
>> I think it is possible to fine tune the rules so only services (CE,
>> SE, RB, BDII) inside a site can connect!
>>
>> Reagrds,
>> Sergio
>>
>> Kostas Georgiou wrote:
>>
>>> On Tue, Jun 07, 2005 at 12:36:02PM +0200, Sergio Fantinel wrote:
>>>
>>>
>>>> Kostas Georgiou wrote:
>>>>
>>>>
>>>>> Is there any reason why it needs to run as root though? Is there any
>>>>> client authentication or does it allow everyone in the world to write
>>>>> to it?
>>>>
>>>>
>>>>
>>>> It is better to route this questions to German. About the auth I
>>>> think LeMON (ex. fmon) trust the LAN and leave to the site
>>>> administration blocking access by firewalls and/or iptables host
>>>> config. But German I think can correct/add more info on this.
>>>
>>>
>>>
>>>
>>> Thanks for the reply. We'll disable it here at Imperial (and i advice
>>> every other admin to do the same) until the software is fixed and
>>> proper
>>> authentication (hint SSL or GSI) is added. Since it's only collecting
>>> information it doesn't have to run as root either.
>>>
>>> Cheers,
>>> Kostas
>>>
>>> PS> SSL is now around a decade old, there is no excuse for software not
>>> to have authentication at 2005.
>>>
>>
>
--
---
Cristina Aiftimiei - EGEE Project
Ist. Naz. di Fisica Nucleare - Padova
Address: via F. Marzolo, 8 - 35131 Padova - ITALY
Phone: +39.049.8277005
Mobile: +39.3460230488
|