choosing distributed comm ports

Michael McDaniel erlang@REDACTED
Sun Dec 12 07:32:47 CET 2004 

On Sat, Dec 11, 2004 at 02:33:44PM +0100, klacke@REDACTED wrote:
> On Fri, Dec 10, 2004 at 01:35:34PM -0800, Michael McDaniel wrote:
> 
> > 
> > I have noticed that the ports used when my nodes communicate are not always
> > the same (not a surprise).  I would like to have known fixed ports so that
> > I can open those specific ports on the various firewalls where my Erlang
> > nodes will be installed.
> 
> 
> There are three interesting environment variable read by the code
> in inet_tcp_dist.erl which are used to control the establishment
> of the listen socket for distributed erlang.
> 
>  application:get_env(kernel,inet_dist_listen_min) and
>  application:get_env(kernel,inet_dist_listen_max)
> 
> 
>     are used to set a range of the incoming portnumbers for 
>     distribution, use this to force one (or a range) of
>     explicit port numbers. These portnumbers can then be
>     fed into firewalls
> 
>  application:get_env(kernel, inet_dist_use_interface)
> 
>     Is another security related env parameter. It's used
>     to bind() the distribution to an explicit interface 
>     on the box. Also useful for security reasons.
> 
> 
> 
> /klacke
> 
> 
> -- 
> Claes Wikstrom                        -- Caps lock is nowhere and
> http://www.hyber.org                  -- everything is under control          
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Again, thank you, Claes, for the pointer.  It led to a workable solution.

Please see my original post for more details about the original question.
All my nodes use SSL communications ( -proto_dist inet_ssl ).

I found a way to force inet_ssl to listen on a fixed port, though it
requires a modification of inet_ssl_dist.erl code.  Line 84 of that module
(R10B-1a distro) is
case ssl_prim:listen(0, [{active, false}, {packet,4}] ++

Changing the 0 to my fixed port number causes the listen to occur on the
fixed port when using '-proto_dist inet_ssl'.

Since the epmd server (... /erts/epmd/src/epmd_srv.c) listens on a 
well-known port (presently 4369), I can open up 4369 and my inet_ssl
port on the firewall to allow calling nodes to reach behind-the-firewall
nodes.

Apparently what happens is that the calling node talks first to the epmd
server on the destination node.  I am guessing that the epmd server then
tells the calling node what port to use for the continuing data exchange
(my fixed port number in inet_ssl).  Hence I need to open up these two
ports on the firewall.

So, it works, though modifying distributed source is not my ideal choice.
I do not see any other way to do it if I want to use inet_ssl.

Maybe a future release of inet_ssl_dist.erl will have the 

 application:get_env(kernel,inet_dist_listen_min)
 application:get_env(kernel,inet_dist_listen_max)

capability like inet_dist.


~Michael
http://autosys.us

More information about the erlang-questions mailing list