On Jul 22, 2008, at 10:55 AM, Steve White wrote:
Charles,
On 21.07.08, Charles Bacon wrote:
Interesting - I remember some discussion like that on this list, I
think, but what does that rule achieve?
This is part of the AstroGrid-D documentation (I think I added it)
http://www.gac-grid.org/project-products/grid-support/grid-installation.html#gsiftp
As to where it came from, I haven't yet heard from Thomas, but I found
a discussion in which he took part (in German) on the internal GACG
WG1
mailing list, dated 3 Sep. 2007
Thomas says there, that he was able to watch the TCP traffic during
some
grid exchanges, and that (in particular) GridFTP tries to connect
with an
'identd' server, which in case of a firewall, results in a dropped
packet
and usually a 30-second timeout.
He then goes on to say that he thinks he saw the iptables rule in a
firewall
document, probably on the Globus website. I haven't located that
document.
Anyway, the iptables rule solved Art's problem, as well as ours.
Okay - I think the iptables might be fixing a problem which is self-
created by the xinetd entries installed. GridFTP doesn't do ident
lookups/callbacks by itself. It is only if you have lines like:
on_success = HOST, USERID
in the xinetd configuration file - that tells xinetd to make the ident
request so it can put the result in syslog. Removing those lines is
probably an easier solution than putting them in the xinetd entry and
then adding a firewall rule to make them timeout very quickly.
Charles
