OWAMP TCP/UDP Port Usage and Firewall Configuration

owamp uses 2 different sets of ports:

  1. Main daemon listening port for control connection (Default: TCP/861)

    2. Defined using the port portion of the srcnode configuration option from owampd.conf.

    For example, to enable this on a typical RHEL 4 system, you would need to add the following line to /etc/sysconfig/iptables:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 861 -j ACCEPT

    This should be added somewhere *after* the line that allows ESTABLISHED and RELATED connections through.

    (Note that this does not use the system-config-securitylevel script from Redhat. I have not been able to get that to do all the things I needed.)

  2. OWAMP test flows (Default: UDP/ephemeral range)

    3. Defined using the testports configuration option from owampd.conf, or the -P option to owping.

    If you specified testports as 910-950 *, you would then need to enable this range in your firewall configuration. (If you do not specify a range, owamp will only work reliably if you have open access for the entire ephemeral port range.)

    It is important to note, that you can only specify the port for the local side of the test. This same range is used for specifying the local port for both sending and receiving test packets. Therefore, your firewall configuration will need to accept any packets arriving for this port range, or departing from this port range.

    On a typical RHEL 4 system, you would need to add the following line to /etc/sysconfig/iptables given this range:

    -A RH-Firewall-1-INPUT -m udp -p udp --dport 910:950 -j ACCEPT

    The default rule for the OUTPUT chain is to allow anything through. If your firewall is more strict than this, you will need to explicitly allow this same range of UDP ports through that chain using the --sport option.

    * Note that this specific range would be a very bad idea because non-root users would not be able to run owping. (They could not bind the low-numbered port.) I have specifically picked this because I don't want my example to become a de facto port range specification for owamp test traffic, thereby allowing owamp traffic to be classified.

Example RHEL 4 /etc/sysconfig/iptables file

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# owamp-control listen port (srcnode)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 861 -j ACCEPT
# owamp-test
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 910:950 -j ACCEPT
# reject anything that has not matched
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT