perfSONAR User Q&A and Other Discussion

["Garnizov, Ivan (RRZE)" <>]

Hi Brian, Andy,

Brian has raised another issue here with FW config. 
I am unable to confirm this with my test instance on 3.5.1RC1.
I have these lines:

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -j perfSONAR
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A fail2ban-SSH -j RETURN


I have used the pure installation.

I do not see the REJECT lines in the config Brian has shared.
But it could have been fixed in the mean time.

Best regards,
Ivan


-----Original Message-----
From: Brian Candler 
[mailto:]
 
Sent: Dienstag, 16. Februar 2016 17:41
To: Andrew Lake; 
;
 Garnizov, Ivan (RRZE)
Subject: Re: [perfsonar-user] Perfsonar ports - tracepath blocked

On 16/02/2016 16:35, Brian Candler wrote:
> Thank you - but that fix doesn't work for me.
>
> [root@ix-perf1
>  brian]#
> /opt/perfsonar_ps/toolkit/scripts/configure_firewall install

I did notice that some parts of this script are commented out - but it is 
identical to the version which is on the box which is working (i.e. 
the one with the full set of firewall rules)

...
main() {
#    if [ "${COMMAND}" == "new" ]; then
         # We're running as part of a NetInstall. Configure the firewall by 
hand
         # since iptables isn't available during NetInstall.
#        buildStaticFirewallRules v4_rules "v4"
#        buildStaticFirewallRules v6_rules "v6"

#        mv $v4_rules /etc/sysconfig/iptables
#        mv $v6_rules /etc/sysconfig/ip6tables
#    elif [ "${COMMAND}" == "upgrade" ]; then

     if [ "${COMMAND}" == "install" ]; then

         deleteOldFirewallRules
...

Regards,

Brian.