perfSONAR Firewall Requirements
perfSONAR Port Requirements / Firewall Rules
perfSONAR includes many services, each of which requires one or more open ports. If you are deploying perfSONAR behind a firewall you will need to change your firewall configuration to allow the following incoming and outgoing ports. Note that in general it is not recommended to run a 10G perfSONAR server (or greater) behind a firewall, as many firewalls can handle large flows. Blocking outgoing connections is particularly problematic, as described in the perfSONAR port breakdown. Also note that bwctl and owamp provide their own mechanisms to limit what can connect.
perfSONAR hosts have a default iptables ruleset that is enabled for all required ports. A summary of all required ports for perfSONAR Toolkit operation can be found on the perfSONAR website: http://www.perfsonar.net/deploy/security-considerations/. Note that performance when using a host-based firewall, such as IPTables, has the potential to be impacted. See also this evaluation done on performance of IPTables.
ESnet's perfSONAR hosts are in subnets on this page.