I'm reading instructions (on installing R on an EC2 instance) that ask me to do the following:
When you get to the ‘Security Groups’ tab, create a security group that has the following ports open: 22 (SSH), 80 (HTTP), 443 (HTTPS), 3389 (RDP, optional), and 8787 (RStudio Server).
I don't fully understand what this means. Especially when it comes to opening port 8787 for the RStudio Server.
Here's the tab to add an inbound rule for a Security Group:
So, if I want to "open port 8787 for RStudio," what do I do? Is that a TCP rule?
If I want open that port to "everyone," what do I specify as the source?
It's a custom TCP rule. The port range is just the single number (8787 here).
The source is all the IP addresses you want to allow to use it. The first four numbers are dotted quads, a way of specifying a 32 bit address as four 8 bit decimal numbers. 192.168.1.0 is an example. The number after the slash is the number of bits that the source address must match.
So 192.168.1.0/24 means any address that matches the first 24 bits would be allowed: 192.168.1.0 through 192.168.1.255. 0.0.0.0/0 means any address that matches the first 0 bits would be allowed. That is, any address at all.
I don't know how secure the RStudio protocol is, but I'd advise against allowing all addresses on the Internet to connect to it. Find your own IP address (you can just Google "what's my ip" to find out). Say it's 123.123.123.123. Then you could specify the source to be 123.123.123.123/32, meaning that address, and only that address, would be allowed.
If you connect from different places in the future, you can change the rule to match whatever address you are at each time you need to connect.
Yes its a TCP rule. If you want to open the port to everyone, you would use 0.0.0.0/0.
Opening to everyone is not always a good idea, depends what you are trying to do.
Related
Recently I found that I was able to bind Apache on 127.0.0.73 without 127.0.0.73 to be present.
Only 127.0.0.1 is present as normal.
I also spoke with a friend and he said that is "normal" on Linux and probably on Windows and not works on MacOS, but he has no idea why.
I can do following:
[nmmm#zenbook nmmm]$ curl 127.10.0.123
curl: (7) Failed to connect to 127.10.0.123 port 80: Connection refused
and it shows that whole A class network is available.
How this works?
I do not see anything special in ifconfig and ip, except lo interface has no broadcast. Is that the key point?
According to https://en.wikipedia.org/wiki/Localhost
IPv4 network standards reserve the entire address block 127.0.0.0/8 (more than 16 million addresses) for loopback purposes.2 That means any packet sent to any of those addresses is looped back. The address 127.0.0.1 is the standard address for IPv4 loopback traffic; the rest are not supported by all operating systems. However they can be used to set up multiple server applications on the host, all listening on the same port number. The IPv6 standard assigns only a single address for loopback: ::1.
Or from https://www.rfc-editor.org/rfc/rfc3330
127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
Even though you can't see anything from ifconfig or ip, you still can ping all the addresses in that 127.0.0.0/8 block.
Is there a way to double the number of ephemeral ports and work around the 16-bit limit? I have tried creating virtual ethernet interfaces over eth0, and hope that would lift the limit. Although the application is utilizing the new virtual IPs in outbound traffic, it seems still hitting the same ephemeral-port limit. I suppose the virtual ports have 1-to-1 mapping to the ports on the physical interface.
ifconfig eth0:1 10.10.10.210 netmask 255.255.255.192
ifconfig eht0:2 10.10.10.211 netmask 255.255.255.192
Could someone please advise how I could double the total number of ephemeral ports in Linux, without adding an extra NIC?
(FYI, I have tried increasing ulimit/max open file, changing the port range, enabling tcp recycle/timestamps, reducing tcp fin timeout... I suppose we simply need more than 65k ports for this proxy machine.)
If you create virtual interfaces over eth0, then you should be able to assign different IP addresses to those interfaces. With that, you can use the same ephemeral port numbers (they are allocated in the kernel, so you dont really have much control) for multiple sockets each bound to different addresses -- you will probably need to set SO_REUSEADDR option. The reason this will work is because for incoming packets (UDP/TCP), the flow is identified by looking at both local source IP and the port number.
And as #Duck mentioned, since TCP/UDP headers allocate only 16 bits for port numbers, there is not much point in increasing the ephemeral range in the local stack.
It's a limitation of the network protocols. Both TCP & UDP, for instance, have 16 bit source and destination ports. Even if you could increase the number of ports no one could address them.
It seems there's a way, but it's not for free. It's called "bind before connect". See this short but dense article, which sums it up very nicely.
Having multiple virtual IPs is just a start. Quoting the linked article:
On Linux the ephemeral port range is a global resource, it's not a specific setting local to an IP address.
So that's bad and you have to improve your starting position with few right settings (where most of them you already found) and get around the global limit with a clever socket allocation technique. The result is that you'll control all the outgoing IPs manually. This also seems not to cope well with other apps on the system using the traditional "connect" way.
It turns out that you cannot use 0 for binding ephemeral port if you want to exceed the 65535 limit. Instead, you need to use an explicit port number.
And also turning on tcp_tw_reuse might be helpful: http://krenel.org/tcp-time_wait-and-ephemeral-ports-bad-friends.html
In my work they asked me to configure a switch cisco 2960 and to the switch we will connect printers, they want that the switch gives the ip to the printers with DHCP (we dont have a dhcp server) and they also want that in each individual port an ip would be assigned, doesnt matter if they change the printer they want the same ip address assign this is in case a printer fails and they want only to replace it and dont have to do anything about configurations. I have configured DHCP Server Port-Based Address Allocation but it isnt working
I used this guide http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/5700/dhcp-prt-bsd-aa.pdf
but it isnt assigning anything.
Tough to give a good answer without seeing your config. I'm going to assume you've checked you're running a version of code that supports this and that you've checked for typos.
Given that, I can only see one thing. In the doc you've linked to, it shows the syntax for the assignment being:
ip dhcp pool dhcppool
network 10.1.1.0 255.255.255.0
address 10.1.1.7 client-id Et1/0 ascii
In this document which is specifically for the 2960, it shows quotes round the Et1/0. So you have:
ip dhcp pool dhcppool
network 10.1.1.0 255.255.255.0
address 10.1.1.7 client-id "Et1/0" ascii
Beyond that, is it bulking at a certain point or is it taking all the commands?
I don't have a 2960 here to test it, so this is the best I can do.
Hope this helps.
I am using IPsec to block all protocoles traffic, and allow some ports.
I want to allow Web Browsing while blocking all of the other traffic.
I tried to add rule to allow the 80 port , port 53 as source and destination port through UDP and TCP protocoles, but still in the browser have a DNS error.
Please can you help me?
I don't know IPsec, but in general you cannot limit the source ports. The source ports will be random, and will not likely be 53 or 80. You should limit only the destination ports (80, 53).
The way IPSec works is that all 'block' rules take priority over 'allow' rules. If we ignore the fact you're not using the recommended methods to do what you want to do, you've not configured IPSec properly.
Unfortunately, using this method will be horrible, since you'll have to configure filters to block everything except HTTP, and there's no way of specifying 'everything except something'. I went down this road briefly a few weeks ago, made the same mistake you did, and aborted the whole plan!
I know this is an old question, but it would good to follow it up with the solution you found.
Now, I have a situation where I alias a lot of ips on a single dev exposed by linux system. this dev is lets say ethX.
Now on ethX I add many ips from a subnet.
Problem:
It appears that the port range is shared for all ips on the ethx. which means:
if I use add an ip x.y.a.b on ethx and use port 5552
now i add an ip y.x.b.a on ethx and try to use 5552 -> this cannot be done
Can anyone confirm this?
addition is done using ip2 utils (ip addr add xxxx dev xxxx) etc.
A TCP connection is identified by the tuple (interface, source address, source port, dest address, dest port), so no, ports are not shared.
What do you mean by use? Do you mean bind()? You should be able to bind() to the same port on different addresses, though you may need to use SO_REUSEADDR, I don't remember the specifics.