BWCTL TCP/UDP Port Usage and Firewall Configuration

BWCTL uses three different sets of ports:

  1. Main daemon listening port for control connection (Default: TCP/4823)

    2. Defined using the port portion of the src_node configuration option from bwctld.conf

    For example, to enable this on a typical Red Hat Enterprise Linux system, you would need to add the following line to /etc/sysconfig/iptables:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT

    This should be added somewhere after the line that allows ESTABLISHED and RELATED connections through.

    This does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.

  2. bwctld peer connections (Default: TCP/ephemeral range)

    3. Defined using the peer_port configuration option from bwctld.conf

    If you specified peer_port as 9910-9950, you would then need to enable this range in your firewall configuration. (If you do not specify a range, BWCTL will only work reliably if you have open access for the entire ephemeral port range.)

    On a typical Red Hat Enterprise Linux system, you would need to add the following line to /etc/sysconfig/iptables given this range:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT

    This should be added somewhere after the line that allows ESTABLISHED and RELATED connections through.

    This does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.

  3. Test Connections (Default: Tool Specific)

    4. Each throughput tester can have its own port defined in bwctld.conf. The configuration option for each tester takes the form testername_port. For example, to set the Thrulay port, you would use the option thrulay_port. The following example would apply to any of the testers, just changing the appropriate configuration option.

    If you specified iperf_port as 5001-5004, you would then need to enable this range in your firewall configuration. If you allow UDP tests (in your bwctld.limits file), you will need to open up the UDP ports. Likewise for TCP. The default is 5001 for TCP and UDP tests, and you will only be able to test if you open the ports specified.

    On a typical Red Hat Enterprise Linux system, you would need to add the following lines to /etc/sysconfig/iptables given this range:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001:5004 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001:5004 -j ACCEPT

    This should be added somewhere after the line that allows ESTABLISHED and RELATED connections through.

    This does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.

Example RHEL 4 /etc/sysconfig/iptables file

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# bwctld listen port (src_node)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT
# bwctld peer_ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT
# bwctl/iperf_port
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001 -j ACCEPT
# reject anything that has not matched
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT