my firewall [linux]

Message boards : Number crunching : my firewall [linux]

To post messages, you must log in.

AuthorMessage
Profile mayer[be]

Send message
Joined: 29 Mar 06
Posts: 5
Credit: 14,197
RAC: 0
Message 19537 - Posted: 30 Jun 2006, 7:29:12 UTC
Last modified: 30 Jun 2006, 7:29:26 UTC

I need some help for my firewall, it\'s running linux and has a client ready to run rosetta.

Problem is I blocked all my inbound tcp-ports [iptables] and I don\'t know what to leave open for my client.

help? :p
ID: 19537 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Whl.

Send message
Joined: 29 Dec 05
Posts: 203
Credit: 275,802
RAC: 0
Message 19549 - Posted: 30 Jun 2006, 10:39:47 UTC

Hi mayer[be]

You may find This post helpful. As far a I know though, local port 1043 only applies to versions below 5.4.9. now.

ID: 19549 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Moderator9
Volunteer moderator
Project administrator

Send message
Joined: 22 Jan 06
Posts: 1014
Credit: 0
RAC: 0
Message 19565 - Posted: 30 Jun 2006, 13:56:26 UTC
Last modified: 30 Jun 2006, 13:56:37 UTC

Thread moved from the Science forum
Moderator9
ROSETTA@home FAQ
Moderator Contact
ID: 19565 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile mayer[be]

Send message
Joined: 29 Mar 06
Posts: 5
Credit: 14,197
RAC: 0
Message 19796 - Posted: 5 Jul 2006, 14:27:37 UTC - in response to Message 19549.  


tnx :)

My unit is working but the ports still won\'t work, when tcpdumping it looks like the client wants to connect to other ports aswell.
When done crunching I get http errors, can not upload/download new data, so when he\'s done i\'ve got to open/close all ports manually.
The other unit behind the firewall has no problems, it\'s a frontline problem.

It would be handy when the client has finished crunching it can talk to a script to open all ports for 15 minutes and after that closing them again.
Is that possible? I like automation :)




ID: 19796 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Feet1st
Avatar

Send message
Joined: 30 Dec 05
Posts: 1740
Credit: 3,655,614
RAC: 0
Message 19800 - Posted: 5 Jul 2006, 15:09:30 UTC - in response to Message 19796.  

It would be handy when the client has finished crunching it can talk to a script to open all ports for 15 minutes and after that closing them again.
Is that possible? I like automation :)


You could use BOINC General Preferences to define the hours of the day in which it is allowed to use the network. Try to give it some breathing room for retries and outages or an unusually large upload. But you could run a script to open the ports at say 00:59:00AM and tell BOINC it can use the network from 01:00:00 to 02:30:00, then at 02:30:00 you could close the ports again.

This would avoid the exponential backoff timers that result if you were to allow BOINC to hit the network anytime, only for it find it can\'t route out.

If you REALLY wanted to get sophisticated, you could examine the XML files of the WU and determine it has completed, and open ports... but by that time BOINC may have already attempted to connect and found it couldn\'t reach the host and done the timed backoff to retry. But if you catch it soon enough, it would still be in 60 second backoffs.

If having a DC project with BOINC is of interest to you, with volunteer or cloud computing resources, but have no time for the BOINC learning curve,
use a hosting service that understands BOINC projects: http://DeepSci.com
ID: 19800 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
meshmesh

Send message
Joined: 15 May 06
Posts: 8
Credit: 113,580
RAC: 0
Message 19813 - Posted: 6 Jul 2006, 2:01:17 UTC

Why open out all firewall ports?
If you want to monitor the traffic to find out exactly which ports are needed, etc.. install the free network analyser utility Ethereal. When the WU is about to finish start capturing the traffic and then you can examine and see what exactly was going on, what was the destination Ip and destination port, etc..
You can then specify \"allow\" rules in the firewall using destination IP AND ports.
ID: 19813 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile mayer[be]

Send message
Joined: 29 Mar 06
Posts: 5
Credit: 14,197
RAC: 0
Message 19885 - Posted: 7 Jul 2006, 16:34:03 UTC - in response to Message 19813.  
Last modified: 7 Jul 2006, 16:35:37 UTC

I downloaded ethereal and started scanning but a few hours later I was thinking mmmh next year i\'m still scanning :p

Linux has a local portrange from 32768 till 61000 so I reduced my portrange from 32768 to 32778.
My fw script is now set to accept 80, 443, 1043, 31416 and 32768 to 32778.

For testing I blocked 80, 443, 1043 and 31416. I noticed that the client was trying to connect and only cycling between 32768 and 32778, after a while I unblocked the other ports and now the client works autonomous.

I have a small LED display on the front of my computer and that is a CPU stressmeter, when something goes wrong I defenitly notice.

Thanks for the help.

greetz!

ID: 19885 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Number crunching : my firewall [linux]



©2020 University of Washington
http://www.bakerlab.org