On Tue, 2 May 2006 14:28:18 +0100
Steve Traylen <[log in to unmask]> wrote:
> On Tue, May 02, 2006 at 02:10:41PM +0100 or thereabouts, Mark Nelson
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Steve Traylen wrote:
> > >> There are two things which require inbound access:
> > >
> > >> 1) globus-job-run, globus-job-submit require a valid
> > >GLOBUS_TCP_PORT_RANGE > of your choice.
> > >
> > >> 2) If you do a interactive submission via edg-job-submit you
> > >require > a port range.
> > >
> > >> The 1st one of these is only needed for debugging really and
> > >should > never be used in anger. I don't know if the 2nd actually
> > >works anyway?
> > >
> > >
> > >> So in reality for every day a use a UI does not require any
> > >inbound > ports.
> > >
> > What about outbound, the default rule for the subnet I want to
> > install the UI is outbound default deny.
>
> Forget it.
>
> If you want your UI to be able a gridftp client then you would need
> to match gridftp port range of everyone else in the world.
>
> As John Gordon mentioned on this list the other day there is some
> talk of trying to collect this information but it will be hard enough
> just for the LHC sites but beyond that...
>
> Steve
I just spoke to Steve for clarification,
Use case
~~~~~~~
What firewall setup do I need to deny outbound access to the Internet.
if I wish to support GSIFTP client running on a host that does not have
outbound TCP/IP activity by default to the Internet.
Answer
~~~~~~
With most protocols like HTTP you would need to open all ports running
HTTP servers in the Grid which is quite bad if they are not the same.
With FTP the position is much worse (BBFTP and GSIFTP also) as these ftp
based protocols require a minimum of 2 ports but typically use 5000
(GSIFTP) for ftp performance reasons and these are defined per site.
HTTP can match GSIFTP performance but with 1 port.
From site-info.def
#DCACHE_PORT_RANGE="20000,25000"
#DPM_PORT_RANGE="20000,25000"
Summary
FTP transfers may fail if any port in the port range of any host you
connect to is blocked by your firewall. Our current usage of GSIFTP
breaks the use case of a no outbound connectivity.
Regards
Owen Synge
> >
> > Mark.
> > >> Steve
> > >
> > >
> > >
> > >
> > >
> > >
> > > Mark.
> > >
> > > --
> > > -------------------------------------------------------------
> > > Mark Nelson - [log in to unmask]
> > >
> > > IPPP, Department of Physics, University of Durham,
> > > Science Laboratories, South Road, Durham, DH1 3LE
> > > Office: +44 (0)191 334 3811, Direct Dial: +44 (0)191 334 3653
> > >
> > > PGP Key: http://www.ippp.dur.ac.uk/~mn/pgp_key.txt
> > > This mail is for the addressee only
> >
> > - --
> > - -------------------------------------------------------------
> > Mark Nelson - [log in to unmask]
> >
> > IPPP, Department of Physics, University of Durham,
> > Science Laboratories, South Road, Durham, DH1 3LE
> > Office: +44 (0)191 334 3811, Direct Dial: +44 (0)191 334 3653
> >
> > PGP Key: http://www.ippp.dur.ac.uk/~mn/pgp_key.txt
> > This mail is for the addressee only
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> > Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org
> >
> > iD8DBQFEV1pRlzM++u0MgcERAtJXAJ9pXuf5+xzNGkVLsACS+0hcqMQUsACfWFv9
> > 70i8rIS6QTasHC5JgQoobT0=
> > =6jfk
> > -----END PGP SIGNATURE-----
>
> --
> Steve Traylen
> [log in to unmask]
> http://www.gridpp.ac.uk/
|