Firewalls
This section discusses advanced configuration options for firewalls.
EPM-UL can communicate through firewalls. To configure a firewall, it is necessary to know the following:
- TCP/IP concepts and terms
- How EPM-UL establishes a connection
- Which directions the firewall is filtering
TCP/IP concepts and terms
In a TCP/IP network, a connection or communications channel between two processes is made up of a path through the network with a socket at each end. Each socket has its own identifying address consisting of its host ID (IP address) and a port number. The combination of the two socket addresses uniquely defines the channel in that network.
Port numbers can be assigned by the user or selected by the operating system. In some cases, the port number is well known and established by tradition. For example, FTP has used port 21 for many years. To establish an FTP session, a process opens a socket (identified by the local host ID and a port number that is assigned by the operating system) and attempts to connect it to the socket that is identified by the combination of the remote host ID and port 21. Historically, port numbers below 1024 are usually reserved for programs that are run by root, while ports from 1024 through 65535 are open for use by any program.
By default, pbmasterd uses port 24345, pblocald uses port 24346, pblogd uses port 24347. The user can reassign these by changing the port number in their services and in the settings file. Aside from those ports, EPM-UL is content to let the operating systems assign ports for the rest of its connections, unless there is a firewall in the middle.
A firewall is a security mechanism that controls network traffic that tries to pass through it. EPM-UL can work with packet-filtering firewalls. A packet-filtering firewall can allow traffic on designated ports to pass though it with no filtering.
To work with a firewall, both EPM-UL and the firewall have to agree on which ports can pass through the firewall. As an extra measure of security, EPM-UL makes use of reserved ports (numbered less than 1024) to initiate connections across a firewall. Doing so helps assure the remote machine that it is being contacted by a root-enabled program on the other end. The remote end of the connection can use any non-reserved ports that the firewall permits.
Previously, connections could be originated using reserved ports only. Beginning with v3.2, connections can be originated using reserved and non-reserved ports. On the receiving side, connections from non-reserved ports can be enabled by setting allownonreservedconnections to true.
The range of reserved ports that can be used to initiate outbound connections is defined in the settings file in v3.2 and later using minoutgoingport and maxoutgoingport.
In v3.2 and later, the non-reserved ports that can be used on the receiving side are defined in the settings file using minlisteningport and maxlisteningport.
For more information, see allownonreservedconnections, minoutgoingport and maxoutgoingport, minlisteningport and maxlisteningport
EPM-UL connections
Before you learn how EPM-UL establishes connections across a firewall, it is important to understand how EPM-UL establishes connections in general. The following example shows a typical session without I/O logging.
A user starts pbrun to access a command.
pbrun opens a port in the range from the minoutgoingport to the maxoutgoingport and attempts to connect to the pbmasterd well-known port on the policy server host.
If the pbmasterd policies reject the request, then pbmasterd opens a port in the minoutgoingport to maxoutgoingport range, and attempt to connect it to pblogd’s well-known port on the log host to log the rejection, and the process ends here.
If the pbmasterd policies accept the request, then pbmasterd opens a port in the minoutgoingport to maxoutgoingport range, and attempts to connect it to the pblocald well-known port on the run host.
pblocald opens a port in the minoutgoingport to maxoutgoingport range, and attempts to connect it to pblogd’s well-known port on the log host. pblocald then sends the accept information to the log server. pblocald then closes the log server connection.
If the configuration permits, pblocald attempts to connect directly to pbrun, freeing pbmasterd to exit from the job stream. pblocald does this by obtaining a port in the minoutgoingport to maxoutgoingport range and attempting to connect to a port in the minlisteningport to maxlisteningport range, which pbrun is listening to (pbrun’s actual port number is passed to pblocald through pbmasterd). pbmasterd can then exit. If pblocaldreconnection is set to true, then pbrun will originate and pblocald will listen.
pblocald runs the requested job. When it finishes, it opens another connection to the log server to log the finish status of the job.
Connections across a firewall
A full EPM-UL session requires two to six connections. Generally, there are two types of connections:
- Connection to a well-known port
- Connection to a dynamic connection
When connecting to a well-known port, the originator asks the operating system for a port in the range between minoutgoingport and maxoutgoingport. The port number is selected by the operating system and is called an ephemeral port. This port is opened on the originating side and connected to the well-known port on the target side. The firewall must be able to pass traffic on the well-known port. No configuration is needed for EPM-UL in this case. The following table summarizes the connection information for well-known ports.
Originator | Outbound Port Type | Target | Inbound Port Type | Default |
---|---|---|---|---|
pbrun | Ephemeral | pbmasterd | Well known | 24345 |
pbmastered | Ephemeral | pblocald | Well known | 24346 |
pbmasterd | Ephemeral | pblogd | Well known | 24347 |
pblocald | Ephemeral | pblogd | Well known | 24347 |
The second type of connection is a dynamic connection. These connections originate on a port in the range from minoutgoingport and maxoutgoingport that is selected by the originating machine’s operating system (ephemeral port) and connect to a listening port on the target end (also an ephemeral port).
For this configuration, the firewall must be configured to pass a range of ports and EPM-UL must be configured to use those ports. If the originating side is filtered, the firewall needs to allow a range of reserved ports to pass. Beginning with EPM-ULv3.2, the port range should be configured in the firewall and the same range of ports should be set in pblocald’s settings file with the settings minlisteningport and maxlisteningport.
If the target machine is filtering incoming traffic, then the firewall should be configured to pass the listening ports, and the settings file on the submit host and the log host should set the same port range in their respective settings files, using the minlisteningport and maxlisteningport settings (EPM-UL v3.2 and later).
The dynamic connections from pblocald are summarized in the following table:
Note
Setting pbrunreconnection and/or pblogreconnection to true reverses the direction of the connections that are listed in the following table.
Originator | Outbound Port Type | Settings File | Target | Inbound Port Type | Settings File |
---|---|---|---|---|---|
pblocald | Ephemeral reserved | minoutgoingport maxoutgoingport | pbrun | Ephemeral non- reserved | minlisteningport maxlisteningport |
pblocald (when logmktemp() is used in a policy) | Ephemeral reserved | minoutgoingport maxoutgoingport | pblogd | Ephemeral non- reserved | minlisteningport maxlisteningport |
Previously, connections could be originated using reserved ports only. Beginning with v3.2, connections can be originated using reserved and non-reserved ports. On the receiving side, connections from non-reserved ports can be enabled by setting allownonreservedconnections to true.
The range of reserved ports that can be used to initiate outbound connections is defined in the settings file in v3.2 and later using minoutgoingport and maxoutgoingport.
In v3.2 and later, the non-reserved ports that can be used on the receiving side are defined in the settings file using minlisteningport and maxlisteningport.
For more information, see allownonreservedconnections, minoutgoingport and maxoutgoingport, minlisteningport and maxlisteningport.
Updated 5 days ago