release notes | Book: 1.9.5, 1.9.12 (opt, FHS), 2.11 (FHS), 2.12 (FHS), 2.13 (FHS), 2.14 (FHS), | Wiki | Q&A black_bg
Web: Multi-page, Single page | PDF: A4-size, Letter-size | eBook: epub black_bg

Access to SRM and GridFTP server from behind a firewall

Timur Perelmutov

Mathias de Riese

This describes firewall issues from the clients perspective. the section called “Firewall Configuration” discusses the server side.

When files are transferred in GridFTP active mode from GridFTP server to the GridFTP client, server establishes data channel(s) by connecting to the client. In this case client creates a TCP socket, bound to some particular address on the client host, and sends the client host IP and port to the server. If the client host is running a firewall, firewall might refuse server’s connection to the client’s listening socket. Common solution to this problem is establishing a range of ports on the client’s host that are allowed to be connected from Internet by changing firewall rules.Once the port range is defined the client can be directed to use one of the ports from the port ranges when creating listening tcp sockets.

[return to top]

Access with srmcp

If you are using srmcp as a client you need to do the following:

  • create a directory $HOME/.globus if it does not exist.

  • create and/or edit a file $HOME/.globus/ by appending a new line reading


    where <min> and <max> are the lower and upper bounds of the port range.

With the latest srmcp release you can use the globus_tcp_port_range option:

[user] $ srmcp -globus_tcp_port_range=<minValue>:<maxValue> ...

A range of ports open for TCP connections is specified as a pair of positive integers separated by ":". This is not set by default.

[return to top]

Access with globus-url-copy

If you are transferring files from gridftp server using globus-url-copy, you need to define an environment variable GLOBUS_TCP_PORT_RANGE, in the same shell in which globus-url-copy will be executed.

In sh/bash you do that by invoking the following command:

[user] $ export GLOBUS_TCP_PORT_RANGE="<min>,<max>"

in csh/tcsh you invoke:

[user] $ setenv GLOBUS_TCP_PORT_RANGE "<min>,<max>"

here <min> and <max> are again the lower and upper bounds of the port range