Home Help Center

Configuring IceStorm clients to use limited port ranges

ChuckoChucko Member Chuck FryOrganization: Dell Services Federal Gov't @ NASA AmesProject: Autonomous Mission Operations
We are running afoul of local firewall policies when using IceStorm. It's easy to open up the desired ports for the IceStorm service and publishers (we're using 10203 and 10204 respectively). But the connections going the other way seemingly use random port numbers all over the IP port number space.

Shutting down the firewall is not an option on our network.

Is there any way to configure IceStorm and clients to restrict those reciprocal connections to a limited port range, so we can open up a small window in the firewall? A search of the forum archives didn't turn up anything conclusive.

Comments

  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Chuck,

    The connection from IceStorm to your subscribers will use whichever ports you configured for your subscribers. If the object adapter endpoints in your subscribers look like:
    xxx.Endpoints=tcp
    

    or
    xxx.Endpoints=tcp -h yyyy
    

    you want to add a port number (-p <port>).

    Best regards,
    Bernard
  • ChuckoChucko Member Chuck FryOrganization: Dell Services Federal Gov't @ NASA AmesProject: Autonomous Mission Operations
    [Edited for clarity]

    Thank you Bernard. This is the client's output when I tried your suggestion. The IceStorm service is running on this machine at TCP port 10203. The client is advertising port 10206 on all interfaces as its endpoint.
    -- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: attempting to bind to tcp socket 0.0.0.0:10206
    -- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: accepting tcp connections at 0.0.0.0:10206
       local interfaces: 128.102.109.67, 128.102.242.197, 127.0.0.1
    -- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: published endpoints for object adapter `AsaExec':
       tcp -h 128.102.109.67 -p 10206:tcp -h 128.102.242.197 -p 10206
    -- 01/18/12 16:49:39.998 /Users/cfry/demo11/asa/bin/asaExec: Network: trying to establish tcp connection to 127.0.0.1:10203
    -- 01/18/12 16:49:39.998 /Users/cfry/demo11/asa/bin/asaExec: Network: tcp connection established
       local address = 127.0.0.1:53079
       remote address = 127.0.0.1:10203
    
    - snip -

    As you can see, the IceStorm client establishes its connection to the IceStorm service, not by using the advertised endpoint for its object adapter at port 10206, but at port 53079. This other port number is what I am trying to control.

    Is there a way to limit the client side port choices to a predefined range?
  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Chuck,

    For outgoing connections, the Ice run-time gets an ephemeral port from the operating system.

    While you can configure the ephemeral port range on your computer, Ice does not provide a way to change this range (e.g. use your own port-range).

    What is your use-case for this feature?

    In your application, the client is also your publisher (so an Ice server), and it establishes a connection to IceStorm presumably to subscribe to a topic. IceStorm will later establish a connection the other way around, to port 10206 on your client/publisher.

    One potential issue with your current configuration is that your client/subscriber listens on all interfaces, and publishes in its proxies all non-localhost interfaces. If IceStorm can only reach one of these interfaces, connection establishment from IceStorm to your client/publisher may sometimes take a long time (when the Ice run-time in IceStorm tries first the unreachable interface). The solution in this case is to use -h <name or IP> in your client/publisher endpoint configuration.

    Best regards,
    Bernard
Sign In or Register to comment.