perfsonar-user - RE: [perfsonar-user] Perfsonar ports - tracepath blocked
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: "Garnizov, Ivan (RRZE)" <>
- To: Brian Candler <>, "" <>
- Subject: RE: [perfsonar-user] Perfsonar ports - tracepath blocked
- Date: Tue, 16 Feb 2016 12:44:27 +0000
- Accept-language: en-GB, de-DE, en-US
Hi Brian,
I believe there is something strange going on there.
I would not expect to have a tracepath daemon listening on any port. I would
not expect to have a tracepath daemon at all!
http://www.inetdaemon.com/tutorials/troubleshooting/tools/traceroute/definition.shtml
http://linux.die.net/man/8/tracepath
Look for Van Jacobson!
I can imagine only evil things hiding also behind the UDP 36334.
Please share how do you come to this conclusion/inquiry: " tracepath only
cares about the intermediate hops and not the final destination"
Best regards,
Ivan
-----Original Message-----
From:
[mailto:]
On Behalf Of Brian Candler
Sent: Montag, 15. Februar 2016 18:19
To:
Subject: [perfsonar-user] Perfsonar ports - tracepath blocked
The perfsonar ports are documented at:
http://www.perfsonar.net/deploy/security-considerations/
Now, I have a perfsonar node behind a firewall (it's used for internal IPSEC
testing), and configured ACLs according to this list. Firewall logs show that
periodically there are a range of attempted connections to UDP ports
44445-44457 from other perfsonar nodes, and these are currently being blocked.
The same source port is the same for the duration of a burst of packets to
that range. Looking at netstat at the source end, I see that the high port
chosen is bound to a "tracepath" process
udp 0 0 0.0.0.0:36334
0.0.0.0:* 6344/tracepath
And looking on a target perfsonar box, that range of ports is not enabled in
iptables either.
Now, as far as I can tell from googling, tracepath is a utility for checking
the path MTU - although it doesn't turn up a list of what ports it uses. So
my questions are:
1. should I enable ports 44444 upwards for tracepath:
- in the firewall in front of the perfsonar box?
- in iptables in the perfsonar box itself?
2. and if so, should this be added to the document linked above?
Or does it really not matter - e.g. tracepath only cares about the
intermediate hops and not the final destination?
Thanks,
Brian.
- [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/15/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
Archive powered by MHonArc 2.6.16.