GD group Firewall requests

The standard procedure to request one or more ports to be accessible from the outside or from the LAN is the following. It only applies to non-Quattor GD machines.

Local firewall (access from the CERN LAN)

The local firewall on the system must firstly be configured to enable external or LAN access to the port(s). For test machines, this can be done manually.

For production machines, the hosts are using lcg-fw, which is installed by default on GD systems. The default lcg-fw configuration is to only offer SSH access to the CERN LAN, but all outgoing connections are permitted.

In order to change the firewall template that has been allocated to a node, you can contact by specifying what type of service your host will be providing. An updated template will be issued and automatically installed on the node (providing its runs lcg-fw).

If you attempt to manually change the firewall rules on a node running lcg-fw, the registered profile will be re-installed the next time the hourly cron job is run. If you wish to make a temporary change, you can either:

  • Contact to change temporarily the firewall template
  • Deprecated: you can change the local rules by suspending the update of the firewall template. This can be done by issuing the following command on the node:
chmod -x /etc/cron.hourly/firewall.cron

Please consult instructions here for more information. The local firewall status of GD machines is visible at

Site firewall

Site firewall changes in GD are managed by different service managers:

  • Yvan Calas for the PROD
  • Antonio Retico for the PPS
  • Louis Poncet for the TB
  • Romain Wartel for non-standard requests.

In order to enable incoming access to a service on a GD host, the responsible service manager of the relevant group (PROD, PPS, TB) needs to be contacted. Alternatively, an email can be sent to, and will be picked up by the relevant service manager.

These service managers are responsible to ensure that:

  • The host runs the GD security tools (lcg-fw, gd-auth) and is correctly associated with a nominated contact
  • The host is patched automatically
  • The host runs standard services that precisely match the description of an existing Set (RB, CE, etc.)
  • No unused network service is running on the host

It is also recommended that these service managers ask to run a security scan against the host and seek for advice, but service managers remains responsible for enabling (or not) incoming access to the host.


Do not hesitate to contact Romain Wartel to:

  • discuss in advance potential issues with a particular firewall request
  • seek for help to define your firewall requirements (ex: what ports do I need to request to enable my gLite CE to be reachable from the outside?).

-- Romain Wartel - 27 Nov 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-03-09 - RomainWartel
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback