perfSONAR User Q&A and Other Discussion

[Brian Candler <>]

The perfsonar ports are documented at:
http://www.perfsonar.net/deploy/security-considerations/

Now, I have a perfsonar node behind a firewall (it's used for internal 
IPSEC testing), and configured ACLs according to this list. Firewall 
logs show that periodically there are a range of attempted connections 
to UDP ports 44445-44457 from other perfsonar nodes, and these are 
currently being blocked.

The same source port is the same for the duration of a burst of packets 
to that range. Looking at netstat at the source end, I see that the high 
port chosen is bound to a "tracepath" process

udp        0      0 0.0.0.0:36334 
0.0.0.0:*                               6344/tracepath

And looking on a target perfsonar box, that range of ports is not 
enabled in iptables either.

Now, as far as I can tell from googling, tracepath is a utility for 
checking the path MTU - although it doesn't turn up a list of what ports 
it uses. So my questions are:

1. should I enable ports 44444 upwards for tracepath:
    - in the firewall in front of the perfsonar box?
    - in iptables in the perfsonar box itself?
2. and if so, should this be added to the document linked above?

Or does it really not matter - e.g. tracepath only cares about the 
intermediate hops and not the final destination?

Thanks,

Brian.