perfsonar-user - Re: [perfsonar-user] Perfsonar ports - tracepath blocked

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Perfsonar ports - tracepath blocked

From: Brian Candler <>
To: Andrew Lake <>, "" <>
Subject: Re: [perfsonar-user] Perfsonar ports - tracepath blocked
Date: Thu, 18 Feb 2016 13:49:44 +0000
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=sasl; b=GetAylSnt7KEAFp7mesaoojGR45Ioavc xmTLHxjsjssGJ96ozd7zmepUIJe2r9cAzfzuGBGQxGo+IOMYjzXuJlA7n0Tju3lb rpqDCc+7rIGiz1dRJCRbDz1TEYOKZQTVxADBfQN3mT8CZr+Y8Z1g+blo/HgGh/fr AKcY4MKvPEU=

On 16/02/2016 21:54, Andrew Lake wrote:

As an FYI, the update has been pushed out. It may take the mirrors a bit to all update so give it a few hours.

The boxes here have updated:

$ sudo iptables -L -n[sudo] password for brian:Chain INPUT (policy ACCEPT)target prot opt source destinationperfSONAR all -- 0.0.0.0/0 0.0.0.0/0REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destinationREJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain OUTPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0Chain perfSONAR (1 references)target prot opt source destinationACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5001:5300ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5301:5600ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5601:5900ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6001:6200ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8760:9960ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255ACCEPT all -- 0.0.0.0/0 0.0.0.0/0ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 udpACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spt:547 dpt:546ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33634ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8001:8020ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3001:3003ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4823ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:861ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7123ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:843ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8090RETURN all -- 0.0.0.0/0 0.0.0.0/0
(aside: the "Accept all 0.0.0.0/0 0.0.0.0/0" rule only applies to packets inbound on the 'lo' interface, as "-v" shows)

However, compared to the older boxes, the fail2ban-SSH chain and target link are not there.

I don't *think* I installed the fail2ban rules myself. But I did manually add some other rules for other services, so it's not a clean example to work from.

Maybe what happened is:
- at system installation time, the fail2ban package installed its own iptables rules
- then perfsonar overwrote them

But that's only a guess. If someone can make a fresh install of latest 3.5 ISO they can check if the fail2ban rules are there or not.

Regards,

Brian.

Re: [perfsonar-user] Perfsonar ports - tracepath blocked, (continued)

List archive

Re: [perfsonar-user] Perfsonar ports - tracepath blocked