GridFTP Firewall Issues

Firewall Issues

Many sites run firewalls that prevent GridFTP from working. Protocols such as FTP which use dynamically assigned ports often get blocked by the firewall. Often firewalls are configured to only block incoming connections, not outgoing connections. In this case you may be able to solve the firewall problem by initiating the transfer from inside the site with the firewall.

If both sites have a firewall that blocks incoming connections, things are trickier. You will have to talk to your firewall administrator about opening up set of ports for your data transfer connections. You might also consider placing your data server outside the firewall - an example of this is the Science DMZ architecture. This has the added benefit of avoid potential performance issues caused by the firewall.

For More Information

 

Recommended:

Globus GridFTP client firewall information

How to specify port ranges for a GridFTP server

You can specify the ports that the GridFTP server uses by editing these files:

   /etc/grid-security/sshftp
   /etc/gridftp.conf

Modify GLOBUS_TCP_PORT_RANGE to the ports you want. For example:

   GLOBUS_TCP_PORT_RANGE=50000,50050

To specify which ports are used by the client, you can modify the file:

   /usr/share/globus/gridftp-ssh

Look for the line:

   /usr/bin/ssh $port_str $remote_host $remote_program 

use something like this instead:

   /usr/bin/ssh $port_str $remote_host GLOBUS_TCP_PORT_RANGE=x,y $remote_program