Configuring IceStorm clients to use limited port ranges

[Chucko]

We are running afoul of local firewall policies when using IceStorm. It's easy to open up the desired ports for the IceStorm service and publishers (we're using 10203 and 10204 respectively). But the connections going the other way seemingly use random port numbers all over the IP port number space.

Shutting down the firewall is not an option on our network.

Is there any way to configure IceStorm and clients to restrict those reciprocal connections to a limited port range, so we can open up a small window in the firewall? A search of the forum archives didn't turn up anything conclusive.

[bernard]

Hi Chuck,

The connection from IceStorm to your subscribers will use whichever ports you configured for your subscribers. If the object adapter endpoints in your subscribers look like:

Code:

xxx.Endpoints=tcp

or

Code:

xxx.Endpoints=tcp -h yyyy

you want to add a port number (-p <port>).

Best regards,
Bernard

[Chucko]

[Edited for clarity]

Thank you Bernard. This is the client's output when I tried your suggestion. The IceStorm service is running on this machine at TCP port 10203. The client is advertising port 10206 on all interfaces as its endpoint.

Code:

-- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: attempting to bind to tcp socket 0.0.0.0:10206
-- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: accepting tcp connections at 0.0.0.0:10206
   local interfaces: 128.102.109.67, 128.102.242.197, 127.0.0.1
-- 01/18/12 16:49:39.997 /Users/cfry/demo11/asa/bin/asaExec: Network: published endpoints for object adapter `AsaExec':
   tcp -h 128.102.109.67 -p 10206:tcp -h 128.102.242.197 -p 10206
-- 01/18/12 16:49:39.998 /Users/cfry/demo11/asa/bin/asaExec: Network: trying to establish tcp connection to 127.0.0.1:10203
-- 01/18/12 16:49:39.998 /Users/cfry/demo11/asa/bin/asaExec: Network: tcp connection established
   local address = 127.0.0.1:53079
   remote address = 127.0.0.1:10203

- snip -

As you can see, the IceStorm client establishes its connection to the IceStorm service, not by using the advertised endpoint for its object adapter at port 10206, but at port 53079. This other port number is what I am trying to control.

Is there a way to limit the client side port choices to a predefined range?

[bernard]

Hi Chuck,

For outgoing connections, the Ice run-time gets an ephemeral port from the operating system.

While you can configure the ephemeral port range on your computer, Ice does not provide a way to change this range (e.g. use your own port-range).

What is your use-case for this feature?

In your application, the client is also your publisher (so an Ice server), and it establishes a connection to IceStorm presumably to subscribe to a topic. IceStorm will later establish a connection the other way around, to port 10206 on your client/publisher.

One potential issue with your current configuration is that your client/subscriber listens on all interfaces, and publishes in its proxies all non-localhost interfaces. If IceStorm can only reach one of these interfaces, connection establishment from IceStorm to your client/publisher may sometimes take a long time (when the Ice run-time in IceStorm tries first the unreachable interface). The solution in this case is to use -h <name or IP> in your client/publisher endpoint configuration.

Best regards,
Bernard