wiki:deployment/firewall
Last modified 9 years ago Last modified on 02/19/09 18:50:34

dCache Firewall and Ports

dCache provides a series of data services over the network each service or "door" has a different set of firewall ports. This page tries to provide basic information on typical firewall setups between the dCache cluster and the client. Internally the dCache cluster should have its firewall open for inter dCache node communication.

Basic Ports Usage in dCache

Most if not all ports in dCache can be defined in the configuration files of dCache on a per node basis. These are stored in the node_config file.

Port(s) External Access Description
32768 and 32768 No is used by the NFS layer within D-Cache which is based upon rpc, this service is essential for rpc.
111,1939 and 33808 No is used by portmapper which is also involved in the rpc dependencies of D-Cache.
34075 No is for postmaster listening to requests for the Postgres database for D-Caches database functionality.
33823 No is used for internal D-cache communication.
8443 Yes is the SRM port.
2288 Maybe is used the web interface to D-Cache.
22223 Maybe is used for the D-Cache admin interface.
22125 Yes is used for the D-Cache Dcap Protocole.
22128 Yes is used for the D-Cache GSI enabled Dcap Protocole.

Multi Port Protocols

Some data transfer protocols such as http only require a single network connection. Others are far more complex to deploy and require multiple network connections between the client and the server. dCap and FTP and the security enabled counterparts (gsidcap and GridFTP) are examples of multiple network connection protocols.

Active and Passive

Active protocols are where the initiation of further network connections are initiated on the server. So the client must open sockets to listen for server initiated connections.

Passive protocols are where the initiation of further network connections are initiated by the client. So the server must open sockets to listen for client initiated connections.

dCache Movers

dCache has the concept of movers whcih are bound to a pool. These are threads of execution that are started for data transfer, and they are used to transfer data into and out of a pool. With active and passive protocols dCache redirects the data transfer connections to the movers. This avoids the need for network transfers within dCache to place or retrieve the data from the pool.

For this reason the port ranges used by active and passive data transfer protocols that need to be opened shoudl be opened in the pool nodes.

(gsi)dcap

(GSI)dCap is by default a passive protocol, this said it was initially developed as an active protocol and the client can decide to use dCap as either an active or passive data transfer protocol.

A dCache server only acts as a Server for these protocols. So to provide support for passive GsiDcap? a range of ports must be open in the firewall.

Default Port Range Nodes it should be open on
24000:24100 Pool nodes that are associated with the door (by default all)
java_options="-server -Xmx512m 
 -XX:MaxDirectMemorySize=512m 
 -Dsun.net.inetaddr.ttl=1800 
 -Dorg.globus.tcp.port.range=20000,24000 
 -Djava.net.preferIPv4Stack=true 
 -Dorg.dcache.dcap.port=0 
 -Dorg.dcache.net.tcp.portrange=24000:24100 
 -Dlog4j.configuration=file:${ourHomeDir}/config/log4j.properties"

GridFTP

GridFTP is typically used as a passive protocol. This said the client can decide to use GridFTP as either an active or passive data transfer protocol.

A dCache server acts as both a GridFTP server and client. This is due to the protocol feature of 3rd Party Copy which allows data transfer to be atchived between 2 storage services without passing through the client. Because of the way third part copy works (creating a second authenticated control channel between the 2 nodes) the pool nodes need to have grid certificates. Another consequence is that the firewall must be opened for both client and server

Default Port Range Nodes it should be open on
24000:24100 Pool nodes that are associated with the door (by default all)
24100:24200 Pool nodes that are associated with the door (by default all)
java_options="-server -Xmx512m 
 -XX:MaxDirectMemorySize=512m 
 -Dsun.net.inetaddr.ttl=1800 
 -Dorg.globus.tcp.port.range=20000,24000 
 -Djava.net.preferIPv4Stack=true 
 -Dorg.dcache.dcap.port=0 
 -Dorg.dcache.net.tcp.portrange=24000:24100 
 -Dlog4j.configuration=file:${ourHomeDir}/config/log4j.properties"

clientDataPortRange=24100:24200