Skip to main content

Globus Connect Server version 4 firewalld Configuration

If you are running a Linux distribution that includes firewalld, you can use firewalld services and ipsets files to simplify firewall configuration on your Globus Connect Server endpoint.

To begin, three files will need to be installed.

Files

The first file to ceate tells firewalld about Globus’ IP range. This file should be created at path /etc/firewalld/ipsets/globus.xml, with the following contents:

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <short>Globus</short>
  <description>Globus IPs</description>
  <option name="family" value="inet"/>
  <entry>54.237.254.192/29</entry>
</ipset>

The next file defines a new service, which (instead of being a single port) is a range of ports. Create this file at path /etc/firewalld/services/gridftp-data.xml, with the following content:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>GridFTP Data</short>
  <description>GridFTP endpoint-to-endpoint data transfer</description>
  <port protocol="tcp" port="50000-51000"/>
</service>

(Yes, with firewalld you can define a single service that takes a range of ports.)

Now, create a file at path /etc/firewalld/services/myproxy.xml, with the following content:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <description>MyProxy Authentication</description>
  <port protocol="tcp" port="7512"/>
</service>

After creating the files, run firewall-cmd --reload to tell firewalld to read the newly-created files.

Now you can move on to configuring the rules themselves!

Firewall Rules

There are three rules needed, each of which its own firewall-cmd command:

  1. Allow anyone to connect to open GridFTP data ports:

    firewall-cmd --permanent --add-service=gridftp-data

    The above rule enables the service you created, for inbound traffic, in the default firewall zone (unless you are a firewalld power user, it will only have one zone in use).

  2. Allow Globus IPs to connect to the MyProxy port.

    firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="globus" service name="myproxy" accept'

    This command is much more complicated, because we want to restrict access to only a specific set of IPs. There is no simple firewall-cmd command available for this, so we have to fall back on the ‘rich rule’ functionality.

  3. Allow access for GridFTP control traffic, from Globus only:

    firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="globus" port port="gsiftp" protocol="tcp" accept'

    This rich rule is similar to the previous one, except we use the keyword port instead of service. We do that because gsiftp is a port listed in the system-wide service/port database (which normally lives at /etc/services). If we used the word service in the rich rule, firewalld would look for a (nonexistant) service description file.

After entering the three commands above, run firewalld-cmd --reload to activate them.

Your inbound host firewall configuration is now complete! You should now go back to continue the installation procedure.