perfSONAR User Q&A and Other Discussion

["Garnizov, Ivan (RRZE)" <>]

Hi Winnie,

 

In fact you are missing a lot of ports there:

 

Bandwidth:

BWCTL	TCP	4823	Incoming/Outgoing
	TCP/UDP	Edit /etc/bwctld/bwctld.conf, set peer_port to a range of values, open the TCP port for these values. It is recommended that 6001-6200 be used for this variable.
	TCP/UDP	(N.B. These instructions apply to v1.5.2 and greater of BWCT). Edit /etc/bwctld/bwctld.conf and set 'test_port' to a specific range, and open the TCP/UDP ports for those ranges. It is recommended that 5001-5900 be used.

TCP 8090 (oppd)

 

Latency:

 

TCP	861	Incoming/Outgoing
UDP	Edit /etc/owampd/owampd.conf, set testports to a range of values, open the tcp port for these values. It is recommended that 8760-9960 be used for this variable. To configure OWAMP clients, edit the/opt/perfsonar_ps/regular_testing/etc/regular_testing.conf file to add the following stanza: <default_parameters>     type  powstream     receive_port_range    8760-9960 </default_parameters>

TCP 8090 (oppd)

 

 

Access to MA:

Apache/esmond	TCP	80	Incoming
		443

 

Traceroute:

Traceroute/Ping

UDP

33434-33634

 

In fact other ports should not be considered unimportant since DNS resolution, ICMP (ping) and time synchronization services are also vital.

So it all depends on your deployment and configuration.

Please note that initial setup of perfSONAR produces a FW configuration for you on iptables.

 

 

AND from your post:

The red ones you need as incoming  only if you are providing the LS service.

 

LAT: 443 (https), 861 (owampd), 8090 (oppd), 8096 (lookup), 61617 (lookup)

BW:  443 (https), 4823 (bwctld), 8090 (oppd), 8096 (lookup), 61617 (lookup)

 

 

 

Best regards,

Ivan

 

-----Original Message-----
From: [mailto:] On Behalf Of Winnie Lacesso
Sent: Dienstag, 4. August 2015 14:57
To:
Subject: Re: [perfsonar-user] Changing PerfSonar boxen IP addresses (different subnet)

 

 

Ok, I realize now the problem. (why not before - hectic/chaotic**N)

 

On the former subnet, all ports > 1024 were un-firewalled by our Institute; we requested only a few ports < 1024 to be open for LAT + BW perfsonar boxen in site firewall.

 

On the new subnet, all ports are firewalled. D'oh! as they say.

I have tried to grok page

http://www.perfsonar.net/deploy/security-considerations/

which seems to be the only page listing ports for perfsonar.

 

So now, may one ask if these are the right ports on the right boxen to request to be opened in Institute Firewall:

 

LAT: 443 (https), 861 (owampd), 8090 (oppd), 8096 (lookup), 61617 (lookup)

BW:  443 (https), 4823 (bwctld), 8090 (oppd), 8096 (lookup), 61617 (lookup)

 

NOTHING ELSE

 

Confirmed? If not please correct. In partic, don't need 80 open, right?

 

VERY Grateful for your patient & kind advice!!

 

Winnie Lacesso / Bristol University Particle Physics Computing Systems HH Wills Physics Laboratory, Tyndall Avenue, Bristol, BS8 1TL, UK