[Bro] Ports used between manager/logger/proxy host and worker nodes

C. L. Martinez carlopmart at gmail.com
Mon Apr 17 05:32:40 PDT 2017


On Mon, Apr 17, 2017 at 11:25:23AM +0000, C. L. Martinez wrote:
> Hi all,
> 
>  I have setup one manager/logger/proxy host with 5 worker nodes (all using 2.5 version). Two of these 5 worker nodes are behind firewalls. I am seeing several packets dropped between these worker nodes and manager host:
> 
> Apr 17 11:23:59.890910 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.1255 > 172.22.59.4.47763: S 2230094890:2230094890(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1780505936[|tcp]> (DF) (ttl 64, id 47383, len 64, bad ip cksum 14! -> b36d)
> Apr 17 11:23:59.890988 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.35138 > 172.22.59.4.47762: S 4275416417:4275416417(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1149589794[|tcp]> (DF) (ttl 64, id 42370, len 64, bad ip cksum 14! -> c702)
> Apr 17 11:23:59.891057 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.24230 > 172.22.59.4.47761: S 363396747:363396747(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 703336159[|tcp]> (DF) (ttl 64, id 38422, len 64, bad ip cksum 14! -> d66e)
> 
>  What ports do I need to open in these firewalls to permit comms between worker nodes and manager host?
> 
> Thanks
> -- 

More info. According to broctl-config.sh, comms are established on port 47760:

bindir="/opt/bro/bin"
bro="/opt/bro/bin/bro"
broargs=""
brobase="/opt/bro"
broctlconfigdir="/nsm/bro/spool"
broport="47760"
broscriptdir="/opt/bro/share/bro"
capstatspath="/opt/bro/bin/capstats"
cfgdir="/opt/bro/etc"
....

 But as you can see in previous log, worker nodes tries to connect to port 47763. Do I need to open a pool of ports on my firewalls? Can I configure what tcp port to use between workers and manager host?

Thanks 

-- 
Greetings,
C. L. Martinez


More information about the Bro mailing list