[Bro] Ports used between manager/logger/proxy host and worker nodes (SOLVED)

C. L. Martinez carlopmart at gmail.com
Mon Apr 17 05:36:44 PDT 2017 

On Mon, Apr 17, 2017 at 12:32:40PM +0000, C. L. Martinez wrote:
> On Mon, Apr 17, 2017 at 11:25:23AM +0000, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I have setup one manager/logger/proxy host with 5 worker nodes (all using 2.5 version). Two of these 5 worker nodes are behind firewalls. I am seeing several packets dropped between these worker nodes and manager host:
> > 
> > Apr 17 11:23:59.890910 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.1255 > 172.22.59.4.47763: S 2230094890:2230094890(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1780505936[|tcp]> (DF) (ttl 64, id 47383, len 64, bad ip cksum 14! -> b36d)
> > Apr 17 11:23:59.890988 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.35138 > 172.22.59.4.47762: S 4275416417:4275416417(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1149589794[|tcp]> (DF) (ttl 64, id 42370, len 64, bad ip cksum 14! -> c702)
> > Apr 17 11:23:59.891057 rule 21/(match) [uid 0, pid 75183] block out on vio5: [uid 4294967295, pid 100000] 172.22.59.2.24230 > 172.22.59.4.47761: S 363396747:363396747(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 703336159[|tcp]> (DF) (ttl 64, id 38422, len 64, bad ip cksum 14! -> d66e)
> > 
> >  What ports do I need to open in these firewalls to permit comms between worker nodes and manager host?
> > 
> > Thanks
> > -- 
> 
> More info. According to broctl-config.sh, comms are established on port 47760:
> 
> bindir="/opt/bro/bin"
> bro="/opt/bro/bin/bro"
> broargs=""
> brobase="/opt/bro"
> broctlconfigdir="/nsm/bro/spool"
> broport="47760"
> broscriptdir="/opt/bro/share/bro"
> capstatspath="/opt/bro/bin/capstats"
> cfgdir="/opt/bro/etc"
> ....
> 
>  But as you can see in previous log, worker nodes tries to connect to port 47763. Do I need to open a pool of ports on my firewalls? Can I configure what tcp port to use between workers and manager host?
> 
> Thanks 
> 

Ok, got it. According to Bro's manual:

"Note that you can change the port that Bro listens on by changing the value of the “BroPort” option in your  broctl.cfg file (this should be needed only if your system has another process that listens on the same port). By default, a standalone Bro listens on TCP port 47760. For a cluster setup, the logger listens on TCP port 47761, and the manager listens on TCP port 47762 (or 47761 if no logger is defined). Each proxy is assigned its own port number, starting with one number greater than the manager’s port. Likewise, each worker is assigned its own port starting one number greater than the highest port number assigned to a proxy."

 Openning ports 47762 and 47761, it seems all works ok.

-- 
Greetings,
C. L. Martinez

More information about the Bro mailing list