Access to srm and gridftp server from behind a firewall
When files are transfered in gridftp active mode from gridftp server to
the gridftp client, server establishes data channel(s) by connecting to
the client. In this case client creates a tcp socket, bound to some
particular address on the client host, and sends the client host ip and
port to the server. If the client host is running a firewall, firewall
might refuse server's connection to the client's listening socket.
Common solution to this problem is establishing a range of ports on the
client's host that are allowed to be connected from Internet by
changing firewall rules.Once the port range is defined the client can
be directed to use one of the ports from the port ranges when creating
listening tcp sockets.
Access with srmcp
If you are using srmcp as a client you need to do the following:
- create a directory $HOME/.globus if it does not exist
- create and/or edit a file $HOME/.globus/cog.properties
by appending a new line
reading "tcp.port.range=<min>,<max>" where
<min> and <max> are the lower and upper bounds of the port
range.
Access with globus-url-copy
If you are transferring files from gridftp server using
globus-url-copy, you need to define an environment variable
GLOBUS_TCP_PORT_RANGE, in the same shell in which globus-url-copy will
be executed.
in sh/bash you do that by invoking the following command:
$ export GLOBUS_TCP_PORT_RANGE="<min>,<max>"
in csh/tcsh you invoke:
$ setenv GLOBUS_TCP_PORT_RANGE "<min>,<max>"
here <min> and <max> are again the lower and upper bounds
of the port range
Author : Timur Perelmutov <timur@fnal.gov>
$Id: firewall.html,v 1.1 2005/08/29 11:59:50 timur Exp $