[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #ZYU-864541]: Inside firewall to outside LDM initiation

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

Subject: [LDM #ZYU-864541]: Inside firewall to outside LDM initiation
Date: Wed, 22 Jun 2011 17:26:16 -0600

Brice,

> 'Quick' question for you.  Is it possible to initiate a LDM connection
> from behind a firewall to an outside server and feed the external
> server data?

Connections are usually initiated by a downstream LDM connecting to an upstream 
LDM in order to request data, which is the opposite of what you described. In 
this usual case, the firewall must allow incoming TCP connections to the 
upstream LDM host on port 388.

> I have a situation that I am working on where an LDM server is being
> stood up in a DMZ.  The server needs to be fed data from the protected
> system behind the DMZ (it may also take in some data from outside and
> feed it back to the protected system) for delivery to customers on the
> outside of the DMZ.  Mostly simple, but the hitch is that the
> connection must be initiated from the protected system outbound to the
> DMZ server.

The LDM was deliberately designed to give downstream sites as much control over 
data reception as possible. There are ways to overcome this by using ldmsend(1) 
on the upstream host and having appropriate ACCEPT entries in the downstream 
LDM's configuration-file -- but this mechanism isn't as robust as the LDM 
system in normal usage.

I strongly recommend that you find a way to allow the LDM in the DMZ to 
initiate a connection to port 388 on the protected system. To the best of our 
knowledge (and we should know) in the 17 years since its release, the LDM has 
never been used to break into a system. Because of its design, I firmly believe 
that's an impossibility.

> Will a standard configuration with allows and requests work on the DMZ
> server or does this scenario have more hinky configuration problems or
> is this scenario doable with LDM only, i.e. do I have to transport the
> data outbound to the DMZ server using some other method and then load
> the DMZ server locally?
> 
> Your assistance will be greatly appreciated... as always.
> 
> Brice
> 
> Brice Biggerstaff
> Software Support Lead
> Johnson Space Center Weather Decision Support System
> 281-853-3011 (w)
> 713-764-2601 (p)
> address@hidden<mailto:address@hidden>  (alpha pager for text and email)
> 
> Res Confacti Erimus
> "We Get Things Done!"


Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: ZYU-864541
Department: Support LDM
Priority: Normal
Status: Closed

Prev by Date: [LDM #DTG-904445]: Confusing Error when pqact.conf does not have LF at EOF
Next by Date: [LDM #ZYU-864541]: Inside firewall to outside LDM initiation
Previous by thread: [LDM #DTG-904445]: Confusing Error when pqact.conf does not have LF at EOF
Next by thread: [LDM #ZYU-864541]: Inside firewall to outside LDM initiation
Index(es):
- Date
- Thread