Network Performance Knowledge Base

perfSONAR Firewall Requirements

perfSONAR Port Requirements / Firewall Rules

perfSONAR includes many services, each of which requires one or more open ports. If you are deploying perfSONAR behind a firewall you will need to change your firewall configuration to allow the following incoming and outgoing ports. Note that in general it is not recommended to run a 10G perfSONAR server behind a firewall, as many firewalls can not do full 10G flows. Blocking outgoing connections is particularly problematic, as described in the perfSONAR FAQ. Also note that bwctl and owamp provide their own mechanisms to limit what can connect.

A sample iptables configuration for Linux is available here (and an ip6tables configuration can be found here). A script to check your firewall configuration is available here.

perfSONAR tool requirements

  • bwctl --  By default bwctl uses random ports, so you must set  peer_port in if behind a firewall. Edit bwctld.conf, and set peer_port to a specific port range (default peer_port is 6001-6200), and open those tcp ports. Also set iperf_port and nuttcp_port , and open TCP and UDP for that range. (default iperf_port is 5001-5200). The number of ports needed depends on how many tests are configured. We recommend at least 25 ports for each range.
  • owamp -- By default owamp uses random ports, so you must set testports if behind a firewall. Edit owampd.conf, and set testports to a range of ports (default testports is 8760-8960), and open those udp ports.The size of the range needs to be the maximum possible number of simultaneous owamp tests you wish to allow. (ESnet sets this to a range of 100 ports).

perfSONAR Toolkit Port Summary

Service Ports Required Protocol Direction
bwctl 4823, 6001-6200 or peer_port range
TCP/UDP in/out
iperf/nuttcp/iperf3 5001-5600 or iperf_port and nuttcp_port ranges
TCP/UDP in/out
owamp control 861 TCP in/out
owamp tests 8760-9960 or testports range
UDP in/out
perfSONAR-BUOY 8085, 8569, 8570 TCP in/out
Lookup Service 8090, 8095, 8096, 9995 TCP in/out
SNMP MA 8065, 9990
TCP incoming
PingER 8075 TCP/ICMP in/out
NDT 3001-3003, 7123 TCP in/out
NPAD 8000, 8001-8020 TCP in/out
ping   ICMP in/out
DNS 53 UDP outgoing
ssh 22 TCP incoming
http/https 80,443 TCP incoming
NTP 123 UDP outgoing
Traceroute MA 8086, 8087 TCP/UDP in/out
traceroute 33434-33634 UDP in/out



For more information see the perfSONAR FAQ on port requirements.

ESnet's perfSONAR hosts are on the following subnets: