Re: 20010104: questions regarding LDM and firewalls

Unidata Support wrote:
> 
> ------- Forwarded Message
> 
> >To: Jeff Weber <address@hidden>
> >cc: address@hidden
> >From: "James R. Frysinger" <address@hidden>
> >Subject: Re: Upstream feed source info (fwd)
> >Organization: College of Charleston
> >Keywords: 200101050304.f0534Ho11160
> 
> Jeff, or whoever catches this message,
> 
> Thanks for your patience. We are involved in some dialog with our
> administrative computing department about getting a path opened up for
> our ldm server. One question that has been asked today that I could not
> answer is this...
> 
> What port(s) does ldm use and what kind of exchange is it? I quoted the
> section from the LDM Users Guide about LDM using ONC RPC protocol
> overlying TCP/IP. Our firewall people, however, may want more specifics
> about the port numbers that will be used and how to qualify the
> "allowable" access to those ports. The MCIDAS installation instructions
> had us set up two ports for mcadde, but I saw nothing similar for ldm.
> What can I tell our Administrative Computing people? They are willing to
> open a hole for us, but want to keep it small enough to prevent entry
> by casual sniffers, at least. If this floats on a TCP/IP protocol, it
> seems to me that if we had definite ports assigned and logged to tcp,
> we could safeguard them with a TCP wrapper. Does that make any sense
> vis-a-vis LDM?
> 
> By the way, one of our Administrative Computing folks, Bissell Anderson,
> may or may not call you tomorrow morning with similar questions.
> 
> Thanks again,
> 
> Jim
> 
> --
> James R. Frysinger                  University/College of Charleston
> 10 Captiva Row                      Dept. of Physics and Astronomy
> Charleston, SC 29407                66 George Street
> 843.225.0805                        Charleston, SC 29424
> http://www.cofc.edu/~frysingj       address@hidden
> Cert. Adv. Metrication Specialist   843.953.7644
> 
> ------- End of Forwarded Message

Hi Jim,

The ldm uses reserved port 388.  In establishing a connection to another
host the ldm will try port 388 first, then if that fails it will use the
portmapper (port 111) as a fall back.  Most of our sites trust the
application and thus keep port 388 open.  If your firewall closes port
111, you must keep port 388 open.  You could certainly use TCP wrappers
to filter and log port activity or whatever.

Regarding "what kind of exchange" the ldm uses, a message in our
archives written by the author of the code says, "[Saying that] the ldm
is an RPC service [tends to] confuse the issue.  When running on port
388, technically the ldm is an IP service that uses RPC protocol
encoding.  If it _required_ the portmapper (which it doesn't), we would
say it was an RPC service."

If your system administrators want to know about the messages being
transmitted, the protocol is defined in the file
$LDMHOME/src/protocol/ldm.h.  Also, the LDM Site Manager's Guide,
http://www.unidata.ucar.edu/packages/ldm/smg.html, gives detailed
information about the protocol in chapter 3, "LDM Protocols".

Hope this helps.  Let me know if you have any further questions.  

Anne
-- 
***************************************************
Anne Wilson                     UCAR Unidata Program            
address@hidden                 P.O. Box 3000
                                  Boulder, CO  80307
----------------------------------------------------
Unidata WWW server       http://www.unidata.ucar.edu/
****************************************************