[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IDD #UXL-280977]: ldm issues



Hi Frank,

re:
> I"m trying to get a second ldm machine running, fed from our primary
> machine.  Right now, drizzl.uml.edu receives data from further up the
> stream, using LDM version 6.7.1.  This data flows perfectly well.

Very good.

re:
> I'm trying to start a new machine, stratus.uml.edu, that will receive
> data from drizzl.  I've tried to make sure the request entries on
> stratus are correct, and that the ALLOW lines on drizzl are correct.  I
> did find some stray spaces where only tab characters belonged.  I have
> double checked these, and am pretty sure they are all okay.

I don't think that the problem you are experiencing is due to problems
in your ~ldm/etc/ldmd.conf file.

re:
> I'm still getting the "Denying connection from "stratus.uml.edu" in the
> drizzl ldmd.log, with no further elaboration in the message, and no log
> at all on stratus.

Assuming that LDM logging is working on stratus, not seeing any log messages
indicating that stratus is denying a connection attempt from drizzl indicates
that the REQUEST is not making it to the LDM on stratus.  This is typically
due to a firewall blocking the REQUEST which will be on port 388 on the
upstream machine (stratus in your case).

re:
> I think I have found the issue - I need to allow tcp incoming
> connections on port 388.

On stratus, yes.

re:
> I added a line to the /etc/services file, with
> 388/tcp as the action.

This is not how one configures the firewall on a Linux machine.  If
the firewall that is blocking the REQUEST is on stratus, then you will
need to create a rule in /etc/sysconfig/iptables.  This rule would look
something like:

...
-A UNIDATA -m state --state NEW -p tcp --dport 388 -j ACCEPT

NB: this simple rule would allow any machine to contact stratus
on port 388.  It is much smarter to limit the set of machines
allowed by specifying something like:

...
-A INPUT -s nnn.nnn.nnn.0/24 -j UNIDATA
...
-A UNIDATA -m state --state NEW -p tcp --dport 388 -j ACCEPT

Here 'nnn.nnn.nnn' is the first three octets of the network
to be allowed, which would be 129.63.143 for your network.

You could really clamp down by specifying the full IP address
for the machine you want to allow.  For instance:

...
-A INPUT -s 129.63.143.202 -j UNIDATA
...
-A UNIDATA -m state --state NEW -p tcp --dport 388 -j ACCEPT

re:
> I restarted xinitd, but that didn't change
> anything.

xinetd has nothing to do with your firewall, so restarting it
would not make a difference.  Again, if you are running a
firewall on stratus, and if the firewall is controlled by
rules in /etc/sysconfig/iptables, then you would restart
your firewall after making the appropriate change using:

<as 'root'>
/etc/init.d/iptables restart

OR

service iptables restart

re:
> I rebooted, and I'm still getting the same "Denying ..."
> message.

This is because the real cause of the denial has not been addressed.

re:
> I feel like I'm missing something basic, but am out of ideas.  What am I
> missing?

All you are missing is familiarity with how to configure firewalls under
RedHat variant Linux systems.

We would be happy to logon to your system and setup your firewall for
you (and let you know what we did).  In order to do this, however, we
would need the password for 'root' on stratus, AND stratus' firewall
would have to already have been configured to allow SSH connections
from machines in the unidata.ucar.edu domain.  If you are interested
in our help, please give me a call at 303.497.8642 so we can discuss
things. Do _not_ send the root password in an email!!!!
 
re:
> PS:  the new machine, stratus.uml.edu, is running LDM version 6.8.1.
> Both machines run CentOS.

OK, thanks for the information.

Cheers,

Tom
--
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: UXL-280977
Department: Support IDD
Priority: Normal
Status: Closed