stanford-rc / globus.stanford.edu

globus.stanford.edu — The Globus @ Stanford web site
https://globus.stanford.edu/
Other
3 stars 4 forks source link

firewall-cmd rules needed in RHEL/CentOS 7 #29

Closed akkornel closed 6 years ago

akkornel commented 6 years ago

In RHEL and CentOS 7, with firewalld, it would be nice to explain the commands to properly enable Globus.

The following block will do three things:

  1. Create an IPset for Globus' IP range.
  2. Create service entries for GridFTP data ports, and for MyProxy (GridFTP control already exists in /etc/services).
  3. Allow the GridFTP data ports, and allow MyProxy & GridFTP only for Globus.
cat <<EOF >/etc/firewalld/ipsets/globus.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <short>Globus</short>
  <description>Globus IPs</description>
  <option name="family" value="inet"/>
  <entry>54.237.254.192/29</entry>
</ipset>
EOF
cat <<EOF >/etc/firewalld/services/gridftp-data.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>GridFTP Data</short>
  <description>GridFTP endpoint-to-endpoint data transfer</description>
  <port protocol="tcp" port="50000-51000"/>
</service>
EOF
cat <<EOF >/etc/firewalld/services/myproxy.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <description>MyProxy Authentication</description>
  <port protocol="tcp" port="7512"/>
</service>
EOF
firewall-cmd --reload

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="globus" port port="gsiftp" protocol="tcp" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="globus" service name="myproxy" accept'
firewall-cmd --permanent --add-service=gridftp-data
firewall-cmd --reload
akkornel commented 6 years ago

Completed in commit 74710663fa9280bbf264ee325f5cf102f67cb0a8!