P
Paul Koufalis
Guest
Here is the answer from my Cisco guy (20 years on very large scale networks): Security folk complain because they need to justify their existence. For network guys we say "range tcp/3000-5000" and we are done. I don't understand the IPsec part. If you are talking about an IPsec VPN tunnel, then again, we just open the range of ports. Do you have more context? The minimum number of required ports is based on your -Mn and -Mpb parameters plus the number of brokers you start. For example: _mprosrv toto -S 5000 -Mn 10 -Mpb 5 -Mi 1 -Ma 5 -n 100 -ServerType 4GL _mprosrv toto -S 6000 -m3 -Mpb 2 -Mi 1 -Mn 10 -ServerType 4GL This will start two brokers on ports 5000 and 6000. The first broker will spawn a maximum of 5 _mprosrv servers and the second broker will spawn a maximum of two _sqlsrv2 servers. This Progress DB will consume up to 9 ports. The DB may open other ports (DBAgent, AdminServer) but those are only for intra-server connections. The reason we request a wider range of open ports is simply because another UNIX process may come by and consume one or more ports in the designated port range. If you want to get fancy, on linux I believe setting net.ipv4.ip_local_port_range outside your minport/maxport will prevent Linux from randomly assigning ports in your range, though it won't prevent a process from specifically requesting a port in the range.
Continue reading...
Continue reading...