[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20010614: McIDAS and ldm and firewall/security

>From: Mike Voss <address@hidden>
>Organization: San Jose State University
>Keywords: 200106141621.f5EGLPp02317 LDM McIDAS firewall ports


>I'm putting my ldm machine (rossby.met.sjsu.edu) behind our campus
>firewall, but I'd like to clarify a few things. I have read some of the
>support archives and it seems that as long as port 388, 500, and 503
>are open then ldm and mcidas should work fine.

That is correct.

>My network
>administrators on campus asked me if it runs on udp or tcp. I looked in
>/etc/services and saw that port 388 has two entries one for tcp and one
>for udp. Does this mean that both of these services must be available
>through this port?

Here is the response that Russ Rew sent on this subject to Dan Vietor
(Unisys) back in September of 2000:

  As far as I can tell, the only use of UDP port 388 is to provide
  support for old LDM version 4 protocol.  There is still some use of
  LDM 4 protocols at sites receiving WSI radar data via a satellite
  feed:  the host that redistributes the WSI data to a local server uses
  LDM 4 protocols.
  Here's an answer Glenn gave to this some time ago:
    The ldm version 4 protocol requires UDP for the FEEDME and NOTIFYME.
    The ldm version 5 protocol currently uses only TCP. BUT, when we
    drop support for version 4, we are going to try using UDP for
    transport.  We have some experiments and development planned using
    broadcast and multicast which will depend on udp. (The rational is
    that we are network limited, rather than CPU limited. TCP puts more
    load on the network (and the kernel) and less on the user
    process. By moving the product assembly up into user space, and
    using smallish (No network reassembly) UDP packets, we may get
    better performance.)
  Whether we will use UDP in this way in the future is unclear, since
  our multicast developments are still on hold.

>And for Mcidas, I noticed ports 500 and 503 had just
>tcp entries, and so can I assume that they only need tcp to run?

That is correct.  I have to chime in that one site commented that they
needed to open udp on both of these ports to get their ADDE remote
server working, but I was convinced at the time that there was
something wrong on their system.  No other site has noted that they
needed to do this, so I really don't think it should be necessary.

>Thanks for clarification,

I hope that this helped.


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.