[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
20020403: Chage LDM server from cirrus to rainbow
- Subject: 20020403: Chage LDM server from cirrus to rainbow
- Date: Wed, 03 Apr 2002 19:14:51 -0700
>From: Eirh-Yu Hsie <address@hidden>
>Organization: Aeronomy Laboratory/NOAA/DOC
>Keywords: 200204032337.g33Nbna26366 IDD LDM
Hsie,
re:
>MSCD has trouble receiving data from my new server "rainbow.al.noaa.gov".
The 'accept' lines in ldmd.conf are not needed by LDM 5 servers. This
construct was originally developed for LDM 4 protocols. It went away
a long time ago with the exception of point-to-point feeds from WSI.
Since WSI has upgraded their LDM to 5 protocols, the accept lines are
not even needed for those feeds.
If Tony continues to have problems feeding from you, he should see
if the DNS server he is using can do the necessary forward and
reverse name lookups for your machine, and you should do the same
for Tony's machine.
A quick test for Tony to run is to see if he can do a notifyme to
rainbow:
notifyme -vxl- -f ANY -h rainbow.al.noaa.gov
I ran this command successfully from a machine here at the UPC, so I
know that rainbow is accessible.
I hope that this helps...
>rockwooa wrote:
>>
>> Hsie,
>>
>>Thanks, however I've never had cirrus in my "accept" line, in fact I've never
>>had anything in the "accept" lines since it was never needed. If it is needed
>>now, can you send me an example of what it should look like?
>>
>> Thanks,
>>
>> Tony
>>
>
>The following id from my /home/ldm/etc/ldmd.conf file:
>
>##############################################################################
> #
># ACCEPT: Who can feed us
>#
># accept <feedset> <pattern> <hostname pattern>
>##############################################################################
> #
>
>
># accept anything from yourself
>accept ANY
> .*
> ^((localhost|loopback)|(127\.0\.0\.1\.?$))
>
># accept from your upstream site
>accept ANY
> .*
> ^[a-z].*\.al\.noaa\.gov$
>accept ANY
> .*
> ^[a-z].*\.unidata\.ucar\.edu$
>accept ANY
> .*
> ^thelma\.ucar\.edu$
>
>> >===== Original Message From Eirh-Yu Hsie <address@hidden> =====
>> >Hello:
>> >
>> >rockwooa wrote:
>> >>
>> >> Hsie,
>> >>
>> >> Is the LDM actually running on rainbow right now? When I swithced over t
> o
>> it,
>> >> I get no data.
>> >>
>> >
>> >You need to change 2 places in /home/ldm/etc/ldmd.conf file:
>> >
>> >(1) The "request" line.
>> >(2) The "accept" line.
>> >
>> >Hsie
>> >-------------------------
>> >Eirh-Yu Hsie
>> >Aeronomy Laboratory/NOAA
>> >325 Broadway, R/AL4
>> >Boulder, CO 80305-3328
>> >voice: 303-497-3275
>> >fax: 303-497-5373
>>
>> ****************************************************************************
>> Anthony A. Rockwood
>> Metropolitan State College of Denver
>> Meteorology Program
>> Dept.of Earth and Atmospheric Sciences
>> P.O. Box 173362, Campus Box 22
>> Denver, CO 80217-3362
>>
>> Office: 303.556.8399
>> fax: 303.556.4436
>>
>> address@hidden
>> www.mscd.edu/~eas
>>
>> ****************************************************************************
>
>--
>-------------------------
>Eirh-Yu Hsie
>Aeronomy Laboratory/NOAA
>325 Broadway, R/AL4
>Boulder, CO 80305-3328
>voice: 303-497-3275
>fax: 303-497-5373
Tom
>From address@hidden Thu Apr 4 12:37:53 2002
>To: Eirh-Yu Hsie <address@hidden>,
> Unidata Support <address@hidden>
Hsie and Tom,
Thanks for the suggestions. A NOTIFYME command returns the following:
wxbox% notifyme -vxl- -f ANY -h rainbow.al.noaa.gov
Apr 04 19:29:06 notifyme[19785]: Starting Up: rainbow.al.noaa.gov:
2002040419290
6.062 TS_ENDT {{ANY, ".*"}}
Apr 04 19:29:06 notifyme[19785]: NOTIFYME(rainbow.al.noaa.gov): 7: Access
denied
by remote server
A new firewall was installed down here last weekend and I'm in the process of
checking with the network folks to see if this is related. I'll let you know.
In the mean time, I'll feed from cirrus.
Thanks,
Tony
>From address@hidden Thu Apr 4 13:23:50 2002
>To: rockwooa <address@hidden>, address@hidden
>Subject: Re: rainbow won't allow wxbox
Hello:
rockwooa wrote:
>
> Hsie,
>
> Can you check to see if rainbow is set to allow wxbox to feed data? Seems as
> though things are ok on this end.
>
> Thanks,
>
> Tony
>
wxbox.mscd.edu is definitely in rainbow.al.noaa.gov's allow list.
allow UNIDATA|FSL2|NEXRAD
^wxbox\.mscd\.edu$
I can not see you from my end either:
[root@rainbow ~]# traceroute wxbox.mscd.edu
traceroute to wxbox.mscd.edu (147.153.170.11), 30 hops max, 38 byte
packets
1 al240gateway.al.noaa.gov (140.172.240.1) 0.967 ms 0.800 ms 0.618
ms
2 brdwy-rtr-bb.boulder.noaa.gov (140.172.254.249) 1.232 ms 1.292 ms
2.316 ms
3 ncar-ml-rtr-atm.boulder.noaa.gov (140.172.1.253) 1.556 ms 1.200
ms 1.257 ms
4 frgp-gw-1.ucar.edu (128.117.243.114) 2.197 ms 1.878 ms 2.213 ms
5 officepark-frgp.cudenver.edu (132.194.3.5) 5.205 ms 4.414 ms
6.531 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
There must be some routing problem. I do not see any connect messages
in my ldmd.log.
Hsie
> >>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> Kurt Ramsden wrote:
>
> > Hi Tony,
> >
> > I think this is the same problem we had the last time. rainbow needs to
> > be set to allow wxbox to connect to it. This is a permission setting on
> their > end.
> >
> > This is what we are seeing in the ldmd.log:
> > Apr 03 23:10:07 wxbox rainbow[17388]: run_requester: 20020403230918.531
> > TS_ENDT {{FSL2|MCIDAS|IDS|DDPLUS, ".*"},{HDS, "(^H)|(^[YZ]
> > Apr 03 23:10:07 wxbox rainbow[17388]: FEEDME(rainbow.al.noaa.gov): 7:
> > Access denied by remote server
> > Apr 03 23:10:37 wxbox rainbow[17388]: run_requester: 20020403230918.531
> > TS_ENDT {{FSL2|MCIDAS|IDS|DDPLUS, ".*"},{HDS, "(^H)|(^[YZ]
> > Apr 03 23:10:37 wxbox rainbow[17388]: FEEDME(rainbow.al.noaa.gov): 7:
> > Access denied by remote server
> > Apr 03 23:11:07 wxbox rainbow[17388]: run_requester: 20020403230918.531
> > TS_ENDT {{FSL2|MCIDAS|IDS|DDPLUS, ".*"},{HDS, "(^H)|(^[YZ]
> > Apr 03 23:11:07 wxbox rainbow[17388]: FEEDME(rainbow.al.noaa.gov): 7:
> > Access denied by remote server
> > Apr 03 23:11:37 wxbox rainbow[17388]: run_requester: 20020403230918.531
> > TS_ENDT {{FSL2|MCIDAS|IDS|DDPLUS, ".*"},{HDS, "(^H)|(^[YZ]
> > Apr 03 23:11:37 wxbox rainbow[17388]: FEEDME(rainbow.al.noaa.gov): 7:
> > Access denied by remote server
> >
>
> ****************************************************************************
> Anthony A. Rockwood
> Metropolitan State College of Denver
> Meteorology Program
> Dept.of Earth and Atmospheric Sciences
> P.O. Box 173362, Campus Box 22
> Denver, CO 80217-3362
>
> Office: 303.556.8399
> fax: 303.556.4436
>
> address@hidden
> www.mscd.edu/~eas
>
> ****************************************************************************
>From address@hidden Thu Apr 4 15:56:52 2002
>To: address@hidden, address@hidden
>Subject: Re: Ref.: wxbox/rainbow/cirrus and MSCD firewall
Hello:
We need some help here.
Clyde Hoadley wrote:
>
> Below is the firewall access control lists in and out to/from
> wxbox.mscd.edu. I just noticed that the firewall is discarding
> udp high port to udp high port coming from both cirrus and
> rainbow. I'll allow for that tonight. However, reports that
> he is getting all of his data from cirrus so, I don't know what
> this udp traffic is.
>
> --Clyde
>
> This is our firewall acl_in
> access-list acl_in permit icmp any host 147.153.170.11 echo
> access-list acl_in permit tcp any host 147.153.170.11 range ftp-data telnet
> access-list acl_in permit tcp any host 147.153.170.11 eq smtp
> access-list acl_in permit tcp any host 147.153.170.11 eq www
> access-list acl_in permit tcp any host 147.153.170.11 eq sunrpc
> access-list acl_in permit udp any host 147.153.170.11 eq sunrpc
> access-list acl_in permit tcp any host 147.153.170.11 eq 388
> access-list acl_in permit udp any host 147.153.170.11 eq 388
I do not understanding these two. I can contact 147.153.170.11 port 388
from cirrus. But I can not contact 147.153.170.11 port 388 from
rainbow:
rainbow:[41]% ldmping 147.153.170.11
Apr 04 22:41:00 State Elapsed Port Remote_Host
rpc_stat
Apr 04 22:41:00 ADDRESSED 0.051994 0 147.153.170.11 RPC: Unable
to receive; errno = Connection reset by peer
cirrus:[41]% ldmping 147.153.170.11
Apr 04 22:47:20 State Elapsed Port Remote_Host
rpc_stat
Apr 04 22:47:20 RESPONDING 0.030843 388 147.153.170.11
Apr 04 22:47:45 RESPONDING 0.006156 388 147.153.170.11
Apr 04 22:48:10 RESPONDING 0.006857 388 147.153.170.11
Apr 04 22:48:35 RESPONDING 0.008103 388 147.153.170.11
Apr 04 22:49:00 RESPONDING 0.004796 388 147.153.170.11
Apr 04 22:49:25 RESPONDING 0.008223 388 147.153.170.11
I do not block any traffic on my port 388. i.e. I allow any machine to
contact my port 388 and I allow any packets from any machine port 388.
rainbow:[42]% ldmping weather.colorado.edu
Apr 04 22:51:35 State Elapsed Port Remote_Host
rpc_stat
Apr 04 22:51:35 RESPONDING 0.256004 388 weather.colorado.edu
Apr 04 22:52:00 RESPONDING 0.001828 388 weather.colorado.edu
> ...
> ...
> access-list acl_in deny ip any any
>
> This is our firewall acl_out
> ...
> ...
> access-list acl_out deny tcp any any eq 69
> access-list acl_out permit tcp host 147.153.170.11 any eq sunrpc
> access-list acl_out permit udp host 147.153.170.11 any eq sunrpc
> access-list acl_out deny tcp any any eq sunrpc
> access-list acl_out deny udp any any eq sunrpc
> ...
> ...
> access-list acl_out permit ip 147.153.0.0 255.255.0.0 any
>
> --
> Clyde Hoadley
> Information Security Analyst
> Metropolitan State College of Denver
> address@hidden, (303) 556-5074
Hsie
-------------------------
Eirh-Yu Hsie
Aeronomy Laboratory/NOAA
325 Broadway, R/AL4
Boulder, CO 80305-3328
voice: 303-497-3275
fax: 303-497-5373
>From address@hidden Thu Apr 4 16:05:53 2002
--
-------------------------
Eirh-Yu Hsie
Aeronomy Laboratory/NOAA
325 Broadway, R/AL4
Boulder, CO 80305-3328
voice: 303-497-3275
fax: 303-497-5373
--------------18E84145EBD70BB8DB6B9876
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
>Date: Thu, 04 Apr 2002 15:18:27 -0700
>From: Clyde Hoadley <address@hidden>
>Subject: tcpdump from inside firewall - rainbow sending RST's
>To: address@hidden
>Cc: address@hidden, "Rockwood Anthony A [rockwooa]" <address@hidden>,
> Kurt Ramsden <address@hidden>
Here is what a TCPDUMP captures from just inside of our firewall.
It shows that "rainbow" is sending RST's back to wxbox just after
the 3 way handshake.
22:13:11.868284 wxbox.mscd.edu.32952 > rainbow.al.noaa.gov.388: S
68579300:68579300(0) win 24820
<nop,nop,sackOK,mss 1460> (DF)
22:13:11.908284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32952: S
2457169195:2457169195(0) ack
68579301 win 5840 <mss 1380,nop,nop,sackOK> (DF)
22:13:11.988284 wxbox.mscd.edu.32952 > rainbow.al.noaa.gov.388: . ack 1 win
24840 (DF)
22:13:11.988284 wxbox.mscd.edu.32952 > rainbow.al.noaa.gov.388: P 1:225(224)
ack 1 win 24840 (DF)
22:13:12.028284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32952: . ack 225 win
6432 (DF)
22:13:12.038284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32952: P 1:25(24) ack
225 win 6432 (DF)
22:13:12.038284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32952: R 25:25(0) ack
225 win 6432 (DF)
22:13:12.068284 wxbox.mscd.edu.32952 > rainbow.al.noaa.gov.388: . ack 25 win
24840 (DF)
22:13:12.078284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32952: R 25:25(0) ack
225 win 24840 (DF)
22:13:21.768284 sentinel.fsl.noaa.gov > wxbox.mscd.edu: icmp: echo request (DF)
22:13:21.838284 wxbox.mscd.edu > sentinel.fsl.noaa.gov: icmp: echo reply (DF)
22:13:36.368284 wxbox.mscd.edu.32967 > striker.atmos.albany.edu.388: S
76365243:76365243(0) win
24820 <nop,nop,sackOK,mss 1460> (DF)
22:13:36.448284 striker.atmos.albany.edu.388 > wxbox.mscd.edu.32967: S
3193122357:3193122357(0) ack
76365244 win 1380 <mss 1380> (DF)
22:13:36.448284 wxbox.mscd.edu.32967 > striker.atmos.albany.edu.388: . ack 1
win 24840 (DF)
22:13:36.448284 wxbox.mscd.edu.32967 > striker.atmos.albany.edu.388: P 1:77(76)
ack 1 win 24840 (DF)
22:13:36.648284 striker.atmos.albany.edu.388 > wxbox.mscd.edu.32967: . ack 77
win 2760 (DF)
22:13:41.178284 wxbox.mscd.edu.32968 > gobbo.fsl.noaa.gov.388: S
77620063:77620063(0) win 24820
<nop,nop,sackOK,mss 1460> (DF)
22:13:41.218284 gobbo.fsl.noaa.gov.388 > wxbox.mscd.edu.32968: S
3401357120:3401357120(0) ack
77620064 win 64860 <mss 1380>
22:13:41.218284 wxbox.mscd.edu.32968 > gobbo.fsl.noaa.gov.388: . ack 1 win
24840 (DF)
22:13:41.218284 wxbox.mscd.edu.32968 > gobbo.fsl.noaa.gov.388: P 1:101(100) ack
1 win 24840 (DF)
22:13:41.258284 gobbo.fsl.noaa.gov.388 > wxbox.mscd.edu.32968: . ack 101 win
64760
22:13:42.058284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: S
78046856:78046856(0) win 24820
<nop,nop,sackOK,mss 1460> (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: S
2483607207:2483607207(0) ack
78046857 win 5840 <mss 1380,nop,nop,sackOK> (DF)
22:13:42.068284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: . ack 1 win
24840 (DF)
22:13:42.068284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: P 1:225(224)
ack 1 win 24840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: P 1:25(24) ack
1 win 5840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: F 25:25(0) ack
1 win 5840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: R
2483607208:2483607208(0) win 0 (DF)
22:13:42.068284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: . ack 25 win
24840 (DF)
22:13:42.068284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: . ack 26 win
24840 (DF)
22:13:42.068284 wxbox.mscd.edu.32969 > rainbow.al.noaa.gov.388: F 225:225(0)
ack 26 win 24840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: R 25:25(0) ack
225 win 24840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: R 26:26(0) ack
225 win 24840 (DF)
22:13:42.068284 rainbow.al.noaa.gov.388 > wxbox.mscd.edu.32969: R 26:26(0) ack
226 win 24840 (DF)
--
Clyde Hoadley
Information Security Analyst
Metropolitan State College of Denver
address@hidden, (303) 556-5074
>From address@hidden Thu Apr 4 18:05:26 2002
>Subject: Ref.: wxbox/rainbow/cirrus and MSCD firewall
Hello:
Clyde Hoadley wrote:
>
> Ah! That explains a lot!
>
> Actually, it is in our name servers however, we discovered
> a couple of days ago that the internet root name servers
> are giving out obsolete info about our name servers.
>
> We submitted updated information to ARIN yesterday. Hopefully
> ARIN will update the root name servers tonight. They should
> be pointing people to NS1.MSCD.EDU & NS2.MSCD.EDU instead of
> to thor.mscd.edu and clem.mscd.edu. I hope they get updated
> tonight but, it could take 12-24 hours for the updates to
> propagate through the internet.
>
In the meantime, I put "147.153.170.11 wxbox.mscd.edu" entry to my
/etc/hosts file. The system should consult the file first before it
consult DNS. Hope this will help.
Hsie
> Eirh-Yu Hsie wrote:
>
> > Hello:
> >
> > I found some thing in my ldmd.log:
> >
> >
> > Apr 04 22:11:34 rainbow rpc.ldmd[1993]: gethostbyaddr: failed for
> > 147.153.170.11
> > Apr 04 22:11:34 rainbow rpc.ldmd[1993]: Denying connection from
> > 147.153.170.11
> > Apr 04 22:12:34 rainbow last message repeated 2 times
> > Apr 04 22:13:05 rainbow rpc.ldmd[1993]: Denying connection from
> > 147.153.170.11
> >
> > [root@rainbow ~]# nslookup 147.153.170.11
> > Note: nslookup is deprecated and may be removed from future releases.
> > Consider using the `dig' or `host' programs instead. Run nslookup with
> > the `-sil[ent]' option to prevent this message from appearing.
> > Server: 140.172.240.2
> > Address: 140.172.240.2#53
> >
> > ** server can't find 11.170.153.147.in-addr.arpa.: SERVFAIL
> >
> > Is wxbox.mscd.edu in your DNS table and is your DNS server up?
> >
> > Hsie
> > -------------------------
> > Eirh-Yu Hsie
> > Aeronomy Laboratory/NOAA
> > 325 Broadway, R/AL4
> > Boulder, CO 80305-3328
> > voice: 303-497-3275
> > fax: 303-497-5373
> >
>
> --
> Clyde Hoadley
> Information Security Analyst
> Metropolitan State College of Denver
> address@hidden, (303) 556-5074
