BWCTL TCP/UDP Port Usage and Firewall Configuration

bwctl uses 3 different sets of ports:

  1. Main daemon listening port for control connection (Default: TCP/4823)

    2. Defined using the port portion of the src_node configuration option from bwctld.conf

    For example, to enable this on a typical RHEL 4 system, you would need to add the following line to /etc/sysconfig/iptables:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT

    This should be added somewhere *after* the line that allows ESTABLISHED and RELATED connections through.

    (Note that this does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.)

  2. bwctld peer connections (Default: TCP/ephemeral range)

    3. Defined using the peer_ports configuration option from bwctld.conf

    If you specified peer_ports as 9910-9950, you could would then need to enable this range in your firewall configuration. (If you do not specify a range, bwctl will only work reliably if you have open access for the entire ephemeral port range.)

    On a typical RHEL 4 system, you would need to add the following line to /etc/sysconfig/iptables given this range:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT

    This should be added somewhere *after* the line that allows ESTABLISHED and RELATED connections through.

    (Note that this does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.)

  3. iperf test connections (Default: TCP/5001 and UDP/5001)

    4. Defined using the iperf_port configuration option from bwctld.conf

    If you specified iperf_port as 5001-5004, you could would then need to enable this range in your firewall configuration. If you allow UDP tests (in your bwctld.limits file) then you will need to open up the UDP ports. Likewise for TCP. The default is 5001 for TCP and UDP tests, and you will only be able to test if you open the ports specified.

    On a typical RHEL 4 system, you would need to add the following lines to /etc/sysconfig/iptables given this range:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001 -j ACCEPT

    This should be added somewhere *after* the line that allows ESTABLISHED and RELATED connections through.

    (Note that this does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.)

Example RHEL 4 /etc/sysconfig/iptables file

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# bwctld listen port (src_node)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT
# bwctld peer_ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT
# bwctl/iperf_port
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001 -j ACCEPT
# reject anything that has not matched
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT