Hi Lydia,
Yes I remember seeing the mail from Brian, although I wasn't 100% sure
what the context was. Thanks for forwarding to the list.
GridFTP (like normal FTP) opens both control and data channels: if you
imagine up to three participants: client, source, and destination (where
the client is the same as either source or destination if you do a copy
to/from your local disk, and client is different from both for 3rd party
copying.)
Using SRM (as we will on the RAL end) both complicates and simplifies
the picture a bit but let's focus on the basic GridFTP. The client opens
a _control_ connection to both source and destination (both on port
2811) and asks them to move data between each other; depending on
whether you use active or passive mode, one end opens a data channel to
the other, again just like normal FTP, using ephemeral ports. The port
range Brian is talking about is for the ports for the data channel, the
range from which the ephemeral ports are picked. The port range may be
different at the different ends, but the Globus default is 50000-51000.
There may be multiple data channels even for one transfer, if we are
using parallel streams, so there has to be a good number of them
available, particularly if things go slightly wonky and you have some
hanging in CLOSE_WAIT or something.
The bottom line is that your firewall needs to allow incoming or
outgoing connections to/from the RAL IP addresses to the Globus port
range you have configured in your gridftp.conf file (or to the default
if as in your example they are not set). Whether they are in or out
depends on whether we are using active or passive mode (I don't know
which one it will use by default) and of course which way we transfer -
RAL to Durham or Durham to RAL. So ideally they should be open both
ways, but you can restrict to the IP range that Brian mentioned.
If you send me your hostname endpoint, I can poke it a bit (gently) from
my end.
Cheers
--jens
On 15/06/2015 11:48, Lydia Heck wrote:
>
> Hi Jens,
>
> when I sent the previous email, I had not realised that I had copied
> you in, Jens. Here is the email again ....
>
> Lydia
>
>
>
> ---------- Forwarded message ----------
> Date: Fri, 12 Jun 2015 15:40:11 +0100 (BST)
> From: Lydia Heck <[log in to unmask]>
> To: [log in to unmask]
> Cc: [log in to unmask], [log in to unmask],
> [log in to unmask],
> [log in to unmask]
> Subject: RE: RAL subnet and possible port ranges.
>
>
> content of the gridftp.conf file:
>
>
> # globus-gridftp-server configuration file
>
> # this is a comment
>
> # option names beginning with '$' will be set as environment
> variables, e.g.
> # $GLOBUS_ERROR_VERBOSE 1
> # $GLOBUS_TCP_PORT_RANGE 50000,51000
>
> # port
> port 2811
>
>
>
>
>
>
> On Fri, 12 Jun 2015, [log in to unmask] wrote:
>
>> Could you send us the gridftp.conf file?
>>
>> -----Original Message-----
>> From: Lydia Heck [mailto:[log in to unmask]]
>> Sent: 12 June 2015 13:41
>> To: Davies, Brian (STFC,RAL,SC)
>> Cc: [log in to unmask]; Jensen, Jens (STFC,RAL,SC); Viljoen,
>> Matthew (STFC,RAL,SC)
>> Subject: RE: RAL subnet and possible port ranges.
>>
>>
>> Hi Brian,
>>
>> I have opened those. Gridftp = 2811 ...
>>
>> I have looked at the FirewallHowTo, but I cannot interpret these
>> acronyms and relate them to the service, beyond gridftp ....
>>
>> Lydia
>>
>>
>> On Fri, 12 Jun 2015, [log in to unmask] wrote:
>>
>>> At least 2811 and the gridftp port range
>>>
>>>
>>> https://dev.globus.org/wiki/FirewallHowTo
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Lydia Heck [mailto:[log in to unmask]]
>>> Sent: 12 June 2015 12:28
>>> To: Davies, Brian (STFC,RAL,SC)
>>> Cc: [log in to unmask]; Jensen, Jens (STFC,RAL,SC); Viljoen,
>>> Matthew (STFC,RAL,SC)
>>> Subject: Re: RAL subnet and possible port ranges.
>>>
>>>
>>> which ports?
>>>
>>> Lydia
>>>
>>>
>>> On Fri, 12 Jun 2015, [log in to unmask] wrote:
>>>
>>>>
>>>> IP subnets used by RAL are:
>>>>
>>>> 130.246.176.0/22
>>>>
>>>> 130.246.180.0/22
>>>>
>>>> ~I am CC¢ing Jens And Matt Viljoen at the T1 who might also be able
>>>> to help regarding which ports need to be open.
>>>>
>>>>
>>>>
>>>> Brain
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
|