Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Perfsonar ports - tracepath blocked

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Perfsonar ports - tracepath blocked


Chronological Thread 
  • From: Andrew Lake <>
  • To: "Garnizov, Ivan (RRZE)" <>, Brian Candler <>, "" <>
  • Subject: Re: [perfsonar-user] Perfsonar ports - tracepath blocked
  • Date: Tue, 16 Feb 2016 11:44:22 -0500
Hi Brian,

Your rules look fine? The INPUT chain says go to the perfSONAR chain which I am guessing based on the first couple lines contains the usual set of rules. Or is there nothing else in the perfSONAR chain? See http://docs.perfsonar.net/manage_security.html for what they usually look like. 

Thanks,
Andy



On February 16, 2016 at 11:35:16 AM, Brian Candler () wrote:

On 16/02/2016 16:26, Andrew Lake wrote:
> Somebody else reported this as well a couple days ago and I have seen
> it before as well. Basically when the ISO is installing, the
> netfilters kernel module is not loaded so the post step to setup the
> rules is failing. I wonder if their was a recent update in anaconda or
> some other package that has recently made this surface, because it was
> definitely fine when the 3.5 release was made. You can run
> "/opt/perfsonar_ps/toolkit/scripts/configure_firewall install” to
> setup the rules.
Thank you - but that fix doesn't work for me.

[root@ix-perf1 brian]#
/opt/perfsonar_ps/toolkit/scripts/configure_firewall install
Adding perfSONAR firewall rules
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
[root@ix-perf1 brian]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
perfSONAR all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain perfSONAR (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0
... etc

[root@ix-perf1 brian]# head -20 /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Feb 16 16:31:02 2016
*filter
:INPUT ACCEPT [1:52]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:526]
:perfSONAR - [0:0]
-A INPUT -j perfSONAR
-A perfSONAR -p icmp -m icmp --icmp-type any -j ACCEPT
-A perfSONAR -p ipv6-icmp -j ACCEPT
-A perfSONAR -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A perfSONAR -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A perfSONAR -p udp -m udp --dport 123 -m udp -j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8090
-j ACCEPT
-A perfSONAR -p udp -m udp --dport 33434:33634 -j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8000
-j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport
8001:8020 -j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 843
-j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 7123
-j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport
3001:3003 -j ACCEPT
-A perfSONAR -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 861
-j ACCEPT

Cheers,

Brian.


Archive powered by MHonArc 2.6.16.

Top of Page