fasterdata.es.netfasterdata.es.netESnet Network Performance Knowledge Base

perfSONAR Firewall Requirements

perfSONAR Port Requirements / Firewall Rules

perfSONAR includes many services, each of which requires one or more open ports. If you are deploying perfSONAR behind a firewall you will need to change your firewall configuration to allow the following incoming and outgoing ports. Note that in general it is not recommended to run a 10G perfSONAR server behind a firewall, as many firewalls can not do full 10G flows. Blocking outgoing connections is particularly problematic, as described in the perfSONAR FAQ. Also note that bwctl and owamp provide their own mechanisms to limit what can connect.

A sample iptables configuration for Linux is available here (and an ip6tables configuration can be found here). A script to check your firewall configuration is available here.  Note that in testing, IPv4 traffic (both UDP and TCP) were unnaffected by the use of IPTables.  IPv6 traffic, specifically UDP, can be impacted at higher speeds, which results in small amounts of packet loss.  Please test the use of IPTables and IP6Tables on your hardware before deploying, to determine if the firewall will cause any packet loss during network testing. 

A summary of all required ports for perfSONAR Toolkit operation can be found on the perfSONAR website: http://www.perfsonar.net/deploy/security-considerations/

ESnet's perfSONAR hosts are in subnets on this page