IceGrid, servers ports, and Firewall

[undici77]

Hi,
I'm using IceGrid in order to create a collection of servers under a Firewall.
Now, my problem is to force IceGrid using a pool of ports predefined from my Firewall configuration.

Is this a right approach to the solution?
If yes, how I can do it?

Thanks
Alessandro

[cnhome]

You can use Glacier2.

[mes]

You can use Glacier2.

This is probably your best option. Ice doesn't currently provide a way to limit the range of ports that are used by a server. By using Glacier2, you would only need to expose one port in your firewall. If you do decide to use Glacier2, please note that some changes will be required in your configuration; see the Ice manual for details.

Regards,
Mark

[undici77]

Thanks for answers!! My first post was pretty generic, in order to get an answer like: The way to limit the ports is...

Now I understand the solution is not easy.

So I try to explain better my requirements:

My ICE application is a collections of drivers (a ICE server for each driver) written in C++ and running in local host.

I need to get an exactly explanation of how my IceGrid server handle ports, in order to define a security severe rules.
This because I will install my IceGrid server on a machine with RING0 Firewall.

So, this is my node configuration:

Code:

#
# The IceGrid locator proxy.
#
Ice.Default.Locator=AtsGrid/Locator:default -p 4061

#
# The IceStorm locator proxy.
#
IceStorm.TopicManager.Proxy=IceStorm/TopicManager

#
# IceGrid node configuration.
#
IceGrid.Node.Name=node_localhost
IceGrid.Node.Endpoints=default
IceGrid.Node.Data=db/node

#
# Trace properties.
#
IceGrid.Node.Trace.Activator=1

#
# Dummy username and password for icegridadmin.
#
IceGridAdmin.Username=admin
IceGridAdmin.Password=admin

this is my application configuration:

Code:

<icegrid>

  <application name="atsGrid" import-default-templates="true">

    <node name="node_localhost">

      <server-instance template="IceStorm" instance-name="IceStorm"/>

      <server id="atsPlcBackoff" exe=".\release\atsPlcBackoff.exe" activation="always">
        <adapter name="atsPlcBackoff" endpoints="tcp">
          <object identity="atsPlcBackoff" type="::com::egicon::ats:devices::atsPlcBackoff" property="Identity"/>
        </adapter>
      </server>
      <server id="atsLasit" exe=".\release\atsLasit.exe" activation="always">
        <adapter name="atsLasit" endpoints="tcp">
          <object identity="atsLasit" type="::com::egicon::ats:devices::atsLasit" property="Identity"/>
        </adapter>
      </server>
    </node>

  </application>

</icegrid>

What is the best practice to understand how to define security rules?

And over this:
1) Is it possible to force icegrid to work only in LOOP BACK (127.0.0.1)?
2) Is it possible to fix my servers port using IceGrid only like a DNS server?
3) Glacier2 use really only one port, or dynamically when a new client require a connection, open some random ports?

[mes]

1) Is it possible to force icegrid to work only in LOOP BACK (127.0.0.1)?

Yes. There are two ways you can accomplish this:

1. Add -h 127.0.0.1 to the endpoint configurations of IceGrid node/registry, and to the endpoint configurations of your application's object adapters. For example:

Code:

IceGrid.Node.Endpoints=default -h 127.0.0.1

and

Code:

<adapter name="atsPlcBackoff" endpoints="tcp -h 127.0.0.1">

2. Or, you can define Ice.Default.Host=127.0.0.1 for the IceGrid node/registry and your application servers.

2) Is it possible to fix my servers port using IceGrid only like a DNS server?

I'm not quite sure what you're asking here. You can certainly specify fixed points in all of your endpoints. For example:

Code:

IceGrid.Node.Endpoints=default -h 127.0.0.1 -p 5001

and

Code:

<adapter name="atsPlcBackoff" endpoints="tcp -h 127.0.0.1 -p 5002">

Of course, you need to be sure that the ports you choose won't be in use by another program.

3) Glacier2 use really only one port, or dynamically when a new client require a connection, open some random ports?

Glacier2 is an intermediary. It accepts connections from clients on a single port, and then it opens multiple outgoing connections to "back end" servers. Furthermore, if your servers send callback invocations to clients, then Glacier2 will also need to open a second port on which it accepts these callback connections from the back end servers.

Regards,
Mark

[undici77]

Thanks Mark for your answer.

So if I could understood, there is no way to describe to my Ring 0 firewall admin which ports will be opened for the communication between my Ice servers and my clients with or without Glacier2.
I can only define how many, but not which.

Is it right?

[mes]

No, that's not correct.

As I wrote earlier, you can define exactly which ports that your applications and Ice services (such as IceGrid nodes and registries) will open for incoming connections.

It is true that you cannot specify which local ports will be opened for outgoing connections. A socket connection has a local port and a remote port. For outgoing Ice connections, the local port is always assigned by the operating system.

It's not completely clear to me whether your entire application is running on a single host (with multiple processes communicating over the localhost interface), or whether communication occurs over the network.

You also didn't indicate whether the firewall is restricting the client's connections, the server's connections, or both.

Let's say that the entire application is running on a single host, and that the firewall restricts both clients and servers even for localhost activity. In this case, the firewall rules will need to permit outgoing connections from any port, but incoming connections can be restricted to the set of ports specified by the application's configuration. For an application that uses IceGrid, there are several endpoints that must be included:

• IceGrid.Node.Endpoints
• IceGrid.Registry.Client.Endpoints
• IceGrid.Registry.Internal.Endpoints
• IceGrid.Registry.Server.Endpoints

Furthermore, you have to include the endpoints of each object adapter in each of your servers. And don't forget about the administrative object adapters that IceGrid enables in deployed servers. This page in the manual describes the IceGrid endpoints in more detail.

So, you can define an explicit port for each of these endpoints and then produce a list of ports that the firewall must not block.

If you can describe your system configuration and firewall requirements in more detail, I might be able to provide more specific help.

Regards,
Mark