From: Mary Thompson (mrthompson@lbl.gov)
Date: Wed Apr 17 2002 - 10:55:46 PDT
Dantong,
Thanks for the information. Our problem seems to have been that too
small a range (10 ports) was opened up for the TCP_PORT_RANGE. Having
the information that other labs have agreed to open up ports for Globus
may be useful in convincing our site adminstrators to do the same.
Thanks, Mary
Dantong Yu wrote:
>
> Dear All:
>
> In order to make grid software work, we set up
> fire wall conduits (holes) which allow
> incoming globus request.
> Here is the complete list of conduits which
> globus suite needs for the incoming requests:
> (The spider.usatlas.bnl.gov is USATLAS testbed).
>
> conduit permit tcp host 130.199.6.84 eq 2119 any
> --> Globus Gatekeeper daemon
> conduit permit tcp host 130.199.6.84 eq 2135 any
> --> Globus GRIS (Grid Resource Info. Service) daemon
> conduit permit tcp host 130.199.6.84 eq 2811 any
> --> Globus FTP Server
> conduit permit tcp host 130.199.6.84 range 6000 6099 any
> --> The current design of grid software does not support
> port duplexing. Each grid job needs
> 3~6 tcp port for Standard I/O and error.
> This range is determined by the total number of jobs
> which are submitted to/from your globus sites.
> --> Globus tcp port range for job-manager communication (increase
> range)
>
> Conduit permit tcp host 130.199.6.84 range 7030 7034 any (hitcnt=6952)
> --> iperf testing, No globus, network performance
> tune requests.
>
> conduit permit udp host 130.199.6.84 range 7030 7034 any (hitcnt=7004)
> --> iperf testing
>
> There might be new ports opened for Globus CAS server.
>
>
> Another way to approach this is to set up a gatekeeper
> cross the firewall. The site security people might not
> allow it, this is site-by-site case.
>
> Cheers
> Dantong
>
> On Tue, 2002-04-16 at 18:29, Doug Olson wrote:
> > BNL is running a firewall. Dantong Yu can
> > give you the details but I believe in that
> > case it is just holes in the firewall.
> > Also I think that JLab is, Ian Bird is the
> > contact there, although I don't think they
> > are running any globus services, just using GSI.
> > Doug
> >
> > > -----Original Message-----
> > > From: mrt@lbl.gov [mailto:mrt@lbl.gov]On Behalf Of Mary Thompson
> > > Sent: Tuesday, April 16, 2002 3:09 PM
> > > To: Douglas L Olson
> > > Subject: Grid vs Firewalls
> > >
> > >
> > > Doug,
> > > Have any of the PPDG sites had to deal with getting grid access thru
> > > firewalls. This is becoming a major issue at the Fusion Sites and we are
> > > trying to gather up all the collective wisdom on the subject.
> > >
> > > Thanks, Mary
> > >
> > > --
> > > ---------------------------------------------------------------------
> > > Mary R. Thompson <MRThompson@lbl.gov>
> > > Distributed Security Research Group (510) 486-7408
> > > Lawrence Berkeley National Lab
> > > http://www-itg.lbl.gov/~mrt
> > > ----------------------------------------------------------------------
> > >
-- --------------------------------------------------------------------- Mary R. Thompson <MRThompson@lbl.gov> Distributed Security Research Group (510) 486-7408 Lawrence Berkeley National Lab http://www-itg.lbl.gov/~mrt ----------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Thu Apr 18 2002 - 12:58:19 PDT