Archived
This forum has been archived. Please start a new discussion on GitHub.
IceGrid, servers ports, and Firewall
Hi,
I'm using IceGrid in order to create a collection of servers under a Firewall.
Now, my problem is to force IceGrid using a pool of ports predefined from my Firewall configuration.
Is this a right approach to the solution?
If yes, how I can do it?
Thanks
Alessandro
I'm using IceGrid in order to create a collection of servers under a Firewall.
Now, my problem is to force IceGrid using a pool of ports predefined from my Firewall configuration.
Is this a right approach to the solution?
If yes, how I can do it?
Thanks
Alessandro
0
Comments
-
You can use Glacier2.
Regards,
Mark0 -
Thanks for answers!! My first post was pretty generic, in order to get an answer like: The way to limit the ports is...
Now I understand the solution is not easy.
So I try to explain better my requirements:
My ICE application is a collections of drivers (a ICE server for each driver) written in C++ and running in local host.
I need to get an exactly explanation of how my IceGrid server handle ports, in order to define a security severe rules.
This because I will install my IceGrid server on a machine with RING0 Firewall.
So, this is my node configuration:# # The IceGrid locator proxy. # Ice.Default.Locator=AtsGrid/Locator:default -p 4061 # # The IceStorm locator proxy. # IceStorm.TopicManager.Proxy=IceStorm/TopicManager # # IceGrid node configuration. # IceGrid.Node.Name=node_localhost IceGrid.Node.Endpoints=default IceGrid.Node.Data=db/node # # Trace properties. # IceGrid.Node.Trace.Activator=1 # # Dummy username and password for icegridadmin. # IceGridAdmin.Username=admin IceGridAdmin.Password=admin
this is my application configuration:<icegrid> <application name="atsGrid" import-default-templates="true"> <node name="node_localhost"> <server-instance template="IceStorm" instance-name="IceStorm"/> <server id="atsPlcBackoff" exe=".\release\atsPlcBackoff.exe" activation="always"> <adapter name="atsPlcBackoff" endpoints="tcp"> <object identity="atsPlcBackoff" type="::com::egicon::ats:devices::atsPlcBackoff" property="Identity"/> </adapter> </server> <server id="atsLasit" exe=".\release\atsLasit.exe" activation="always"> <adapter name="atsLasit" endpoints="tcp"> <object identity="atsLasit" type="::com::egicon::ats:devices::atsLasit" property="Identity"/> </adapter> </server> </node> </application> </icegrid>
What is the best practice to understand how to define security rules?
And over this:
1) Is it possible to force icegrid to work only in LOOP BACK (127.0.0.1)?
2) Is it possible to fix my servers port using IceGrid only like a DNS server?
3) Glacier2 use really only one port, or dynamically when a new client require a connection, open some random ports?0 -
1) Is it possible to force icegrid to work only in LOOP BACK (127.0.0.1)?
1. Add -h 127.0.0.1 to the endpoint configurations of IceGrid node/registry, and to the endpoint configurations of your application's object adapters. For example:IceGrid.Node.Endpoints=default -h 127.0.0.1
and<adapter name="atsPlcBackoff" endpoints="tcp -h 127.0.0.1">
2. Or, you can define Ice.Default.Host=127.0.0.1 for the IceGrid node/registry and your application servers.2) Is it possible to fix my servers port using IceGrid only like a DNS server?IceGrid.Node.Endpoints=default -h 127.0.0.1 -p 5001
and<adapter name="atsPlcBackoff" endpoints="tcp -h 127.0.0.1 -p 5002">
Of course, you need to be sure that the ports you choose won't be in use by another program.3) Glacier2 use really only one port, or dynamically when a new client require a connection, open some random ports?
Regards,
Mark0 -
Thanks Mark for your answer.
So if I could understood, there is no way to describe to my Ring 0 firewall admin which ports will be opened for the communication between my Ice servers and my clients with or without Glacier2.
I can only define how many, but not which.
Is it right?0 -
No, that's not correct.
As I wrote earlier, you can define exactly which ports that your applications and Ice services (such as IceGrid nodes and registries) will open for incoming connections.
It is true that you cannot specify which local ports will be opened for outgoing connections. A socket connection has a local port and a remote port. For outgoing Ice connections, the local port is always assigned by the operating system.
It's not completely clear to me whether your entire application is running on a single host (with multiple processes communicating over the localhost interface), or whether communication occurs over the network.
You also didn't indicate whether the firewall is restricting the client's connections, the server's connections, or both.
Let's say that the entire application is running on a single host, and that the firewall restricts both clients and servers even for localhost activity. In this case, the firewall rules will need to permit outgoing connections from any port, but incoming connections can be restricted to the set of ports specified by the application's configuration. For an application that uses IceGrid, there are several endpoints that must be included:- IceGrid.Node.Endpoints
- IceGrid.Registry.Client.Endpoints
- IceGrid.Registry.Internal.Endpoints
- IceGrid.Registry.Server.Endpoints
So, you can define an explicit port for each of these endpoints and then produce a list of ports that the firewall must not block.
If you can describe your system configuration and firewall requirements in more detail, I might be able to provide more specific help.
Regards,
Mark0