Dear *,
We want to have puppet manage iptables (not a bad idea) but someone has an
idea that every node (in both LCG & non-LCG group of servers) can have the
same set of firewall rules (ACCEPTs for various services, & DROPs from
known malicious IP ranges on security-sensitive servers).
IMHO this is misguided. Security best practise seems to include servers
should only run the services they need & (especially) should have firewall
ACCEPTs & openings only as needed. (One of the subnets for this group of
servers is not institutionally firewalled above 1024, which does make it
easy for LCG servers needing to ACCEPT on ports > 1024 for LCG services -
no need to place a special request for institutional firewall openings.
My concern is servers ACCEPTing on ports they have no need to.)
It used to be there was a handy summary list of ports that had to be
opened for each LCG service, but all that can be found is this quite old
(I think) one:
https://twiki.cern.ch/twiki/bin/view/LCG/LCGPortTable
We have an ARC-CE & a StoRM SE, neither listed there.
Is there an updated LCG Port Table? It's v**2 handy having one page
summarizing all the ports, so thanks**2 to those who compile it.
Winnie Lacesso / 55% HPC Storage Admin, 20% Particle Physics, 25% SysOps
HH Wills Physics Laboratory, Tyndall Avenue, Bristol, BS8 1TL, UK
University of Bristol
|