dCache Firewall and Ports
dCache provides a series of data services over the network each service or "door" has a different set of firewall ports. This page tries to provide basic information on typical firewall setups between the dCache cluster and the client. Internally the dCache cluster should have its firewall open for inter dCache node communication.
Basic Ports Usage in dCache
Most if not all ports in dCache can be defined in the configuration files of dCache on a per node basis. These are stored in the node_config file.
| Port(s) | External Access | Description |
| 32768 and 32768 | No | is used by the NFS layer within D-Cache which is based upon rpc, this service is essential for rpc. |
| 111,1939 and 33808 | No | is used by portmapper which is also involved in the rpc dependencies of D-Cache. |
| 34075 | No | is for postmaster listening to requests for the Postgres database for D-Caches database functionality. |
| 33823 | No | is used for internal D-cache communication. |
| 8443 | Yes | is the SRM port. |
| 2288 | Maybe | is used the web interface to D-Cache. |
| 22223 | Maybe | is used for the D-Cache admin interface. |
| 22125 | Yes | is used for the D-Cache Dcap Protocole. |
| 22128 | Yes | is used for the D-Cache GSI enabled Dcap Protocole. |
Multi Port Protocols
Some data transfer protocols such as http only require a single network connection. Others are far more complex to deploy and require multiple network connections between the client and the server. dCap and FTP and the security enabled counterparts (gsidcap and GridFTP) are examples of multiple network connection protocols.
Active and Passive
Active protocols are where the initiation of further network connections are initiated on the server. So the client must open sockets to listen for server initiated connections.
Passive protocols are where the initiation of further network connections are initiated by the client. So the server must open sockets to listen for client initiated connections.
dCache Movers
dCache has the concept of movers whcih are bound to a pool. These are threads of execution that are started for data transfer, and they are used to transfer data into and out of a pool. With active and passive protocols dCache redirects the data transfer connections to the movers. This avoids the need for network transfers within dCache to place or retrieve the data from the pool.
For this reason the port ranges used by active and passive data transfer protocols that need to be opened shoudl be opened in the pool nodes.
(gsi)dcap
(GSI)dCap is by default a passive protocol, this said it was initially developed as an active protocol and the client can decide to use dCap as either an active or passive data transfer protocol.
A dCache server only acts as a Server for these protocols. So to provide support for passive GsiDcap? a range of ports must be open in the firewall.
| Default Port Range | Nodes it should be open on |
| 24000:24100 | Pool nodes that are associated with the door (by default all) |
java_options="-server -Xmx512m
-XX:MaxDirectMemorySize=512m
-Dsun.net.inetaddr.ttl=1800
-Dorg.globus.tcp.port.range=20000,24000
-Djava.net.preferIPv4Stack=true
-Dorg.dcache.dcap.port=0
-Dorg.dcache.net.tcp.portrange=24000:24100
-Dlog4j.configuration=file:${ourHomeDir}/config/log4j.properties"
GridFTP
GridFTP is typically used as a passive protocol. This said the client can decide to use GridFTP as either an active or passive data transfer protocol.
A dCache server acts as both a GridFTP server and client. This is due to the protocol feature of 3rd Party Copy which allows data transfer to be atchived between 2 storage services without passing through the client. Because of the way third part copy works (creating a second authenticated control channel between the 2 nodes) the pool nodes need to have grid certificates. Another consequence is that the firewall must be opened for both client and server
| Default Port Range | Nodes it should be open on |
| 24000:24100 | Pool nodes that are associated with the door (by default all) |
| 24100:24200 | Pool nodes that are associated with the door (by default all) |
java_options="-server -Xmx512m
-XX:MaxDirectMemorySize=512m
-Dsun.net.inetaddr.ttl=1800
-Dorg.globus.tcp.port.range=20000,24000
-Djava.net.preferIPv4Stack=true
-Dorg.dcache.dcap.port=0
-Dorg.dcache.net.tcp.portrange=24000:24100
-Dlog4j.configuration=file:${ourHomeDir}/config/log4j.properties"
clientDataPortRange=24100:24200
