Restricted TCP Ports and Restricted Mover Hosts

HSI PORT RANGES AND RESERVED PORTS


The HSI package makes use of reserved ports as follows:


  • For initial connection to the HSI Gateway Daemon (HSIGWD) by the HSI and HTAR Clients.  This is the  port on which inetd or xinetd listens for connections for starting up the HSIGWD.  The default port is 1217, and is the port assigned by the IANA for this server.  On the HSIGWD system, the normal /etc/services and inetd or xinetd.d setup is used for launching the program in response to connections from clients.
  • For authentication by mechanisms that use a private socket for protocols. Currently Kerberos and Globus GSI require private sockets.
  • For I/O transfers on client hosts that use firewalls to restrict inbound connections or that simply want to use a certain range of TCP ports for HSI/HTAR transfers.
  • For I/O transfers that set HSI ‘firewall’ mode for data transfers.  In this mode, the HSIGWD server listens for connections from the client, and uses store-and-forward mode for transferring data.


The HPSS_PORT_RANGE environment variable is used by the HSI package for defining a range of ports to use for all connections except the initial connection to the HSIGWD.  


The syntax is:

             HPSS_PORT_RANGE=start-end

where start and end are the beginning and ending port number in the range.


___________________________________________________________________________

Note: Older versions of HPSS and HSI/HTAR (and PFTP) prior to HPSS 7.5 supported two other environment settings for this purpose:

           RPC_RESTRICTED_PORTS=ncacn_ip_tcp[start-end]

           HPSS_PFTPC_PORT_RANGE=ncacn_ip_tcp[start-end]

The RPC_RESTRICTED_PORTS setting was part of the Distributed Computing Environment (DCE) that was required for HPSS versions prior to 6.0.


The HSI and HTAR client libraries still support these as of HPSS 7.5.1, but they are deprecated and will be removed in a future release.  They are only checked for if the HPSS_PORT_RANGE is not found in the environment.


The HPSS client libraries used by the HSIGWD through HPSS 7.5.2 have removed the HPSS_PFTPC_PORT_RANGE setting but still allow RPC_RESTRICTED_PORTS if HPSS_PORT_RANGE is not found in the environment.

___________________________________________________________________________


On the HSIGWD server, the port range can be specified either in /var/hpss/etc/env.conf,

where it applies to all applications and servers that run on the machine, or via the normal

xinetd stanza setting for the HSIGWD, for example:

           env   +=HPSS_PORT_RANGE=20100-30100


HSI RESTRICTED MOVER HOSTS


HSI and HTAR support the ability for the HSI/HPSS Admin to specify which HPSS mover hosts at a site are allowed to connect in order to perform I/O.  This optional feature was added to avoid problems that can occur during transfers when site security port scans take place.  It’s described in detail on the HPSS.conf page.  Normally, when this feature is needed at a site, the HPSS.conf file is set up by the site administrators when HSI/HTAR are installed on a client system.