BOINC firewall rules

Message boards : Questions and problems : BOINC firewall rules
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile kengaru
Avatar

Send message
Joined: 28 Jun 10
Posts: 1
Russia
Message 33561 - Posted: 28 Jun 2010, 13:10:29 UTC

Where could I find list of hosts IP addresses (dns names) and used ports information to build the hardware firewall rules to allow BOINC client to communicate with BOINC servers itself and the projects servers?
ID: 33561 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15477
Netherlands
Message 33563 - Posted: 28 Jun 2010, 13:52:03 UTC - in response to Message 33561.  

BOINC uses TCP ports 80 and 443 to communicate with projects.

As for a list of project servers, that's a little difficult. The addresses you use on the outside, e.g. http://setiathome.berkeley.edu/ aren't used in BOINC. In the master file that BOINC gets from the projects there's a redirect to the correct server address. That address is a CGI server which connects to the correct server internally. None of those addresses are stored anywhere with your client.

This same thing goes for the monthly contact with the BOINC server, to check for a new projects list file.
ID: 33563 · Report as offensive
Professor Ray

Send message
Joined: 31 Mar 08
Posts: 59
United States
Message 33582 - Posted: 28 Jun 2010, 19:15:42 UTC
Last modified: 28 Jun 2010, 19:27:07 UTC

I've had to establishe network & computer security rules for Comodo Internet Security and so have had to address this issue. I created a zone for BOINC hosts. The host names can be gleaned from the BOINC message list. For example, the associated URL message for Rosetta is:

6/27/2010 10:35:02 PM rosetta@home URL http://boinc.bakerlab.org/rosetta/; Computer ID 1235227; resource share 100

The entry in the BOINC host zone is:

boinc.bakerlab.org and I added into the BOINC Host-zone the URL host name for each project I participate in.

Then there are zones created for the various BOINC data-servers, either WU or result. Not every project requires a unique zone for this. However, I've discovered that the following zones are necessary:

Rosetta:

Range - 140.142.20.107/140.142.20/125
=====================================
Seti:

Range - 208.68.240.13/208.68.240.20
=====================================
Einstein:

129.89.61.88
129.89.61.165/166
130.75.116.202
=====================================
Lattice:

128.32.18.189
=====================================
BOINC net:

range - 74.125.95.103/74.125.95.147
range - 209.85.225.99/209.85.225.147

NOTE: the latter zone is utilized cross project to ascertain internet connectivity and determine whether any arbitrary project may be down or not. All IP in that zone resolve to 1e100 domain names. Of the 19 projects I participate in, those are the only proeject specific zones necessary.

I've created the following file-groups:

BOINC SCR:

BOINC_PRG\BOINCscr.exe
WINDOWS\BOINC.scr
======================================
BOINC PROJECTS:

BOINC_DATA\PROJECTS*
BOINC_DATA\SLOTS*
=======================================

BOINC.exe needs these permissions:

UDP out from NIC to DNS src port any to port 53
TCP out from NIC to BOINC Hosts src port any to port 80
TCP out from NIC to Einstein Data src port any to port 80
TCP out from NIC to Lattice Data src port any to port 80
TCP out from NIC to Rosetta Data src port any to port 80
TCP out from NIC to SETI Data src port any to port 80
TCP out from NIC to BOINC Net src port any to port 80

========================================
BOINC SCR file-group needs these permissions:

TCP out from local_0 to local_127 src port-set BOINC to dest port 31416

The BOINC src port-set is defined as:

1027-1147
1326-1371
1443-1444
1577-1580
1867-1878
3094-1407
3606
4567-4568

NOTE: Local 0 is a zone defined as 0.0.0.0 and local_127 is a zone defined as 127.0.0.1. Every once in a while the BOINC SCR file group wants to establish TCP out from local_0 to local_127 with src port not in the list. I allow it and add the new port into the port-set.
=====================================================

The 'BOINC Projects' file-group is configured as 'installer/updater' - canned Comodo permissions profile.
=====================================================

E:\BOINC\BOINCmgr.exe has execute permission to the following:

E:\BOINC\BOINC.exe
BOINC SCR (file-group)
C:\Program Files\Internet Explorer\iexplorer.exe
C:\BOINC_Data\Projects*

E:\BOINC\BOINCmgr.exe has WINDOWS\WinEvent hooks permissions for E:\BOINC\BOINCmgr.exe

E:\BOINC\BOINCmgr.exe has process termination permission for:

E:\BOINC\boinc.exe
C:\Boinc_Data\projects\einstein.phys.uwm.edu\einstein_S5R6_3.01_graphics_windows_intelx86.exe

E:\BOINC\BOINCmgr.exe has Windows Messages permission

E:\BOINC\BOINCmgr.exe has permission to the following protected registry keys:

HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\TypesSupported

E:\BOINC\BOINCmgr.exe has permission to \Device\Afd\Endpoint
E:\BOINC\BOINCmgr.exe has DNS Client Services permission

================================================================
BOINC.exe has execute permissions to 'BOINC Projects'
BOINC.exe has termination permissions to 'BOINC Projects'
BOINC.exe has permissio to the following protected registry keys:

HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\TypesSupported

BOINC.exe has permission to the following folders:

\Device\Afd\Endpoint
C:\Boinc_Data\*
C:\Boinc_Data\projects\*
C:\Boinc_Data\slots\*

BOINC.exe is permitted DNS Client Services
================================================================

E:\BOINC\BOINCscr.exe has permission to \Device\Afd\Endpoint
================================================================

C:\WINDOWS\BONC.scr has permission to \Device\Afd\Endpoint
================================================================

BOINC pretty much starts, stops, executes any project, updates and suspends any project I participate in. Furthermore, connection to all BOINC web-sites through the BOINC Manager is unhindered. The only aspects of BOINC that are not comprehensively configured are BOINC graphics (per project) and the screen saver; I do not use these features. There may be computer security configuration issues specific to each individual graphics executable, but those are easily enough addressed by clicking 'allow' and 'remember this' whenever the associated Comodo alert presents itself.

I'm virtually un-bothered by any alerts from Comodo whatsoever (except for occasional new ports alluded respecting the BOINC SCR file-set, and a new IP connection attempt that resolves to an 1e100 domain name). Also, every once in a great while, a new IP for one of the BOINC projects manifests itself.
ID: 33582 · Report as offensive
Profile Gundolf Jahn

Send message
Joined: 20 Dec 07
Posts: 1069
Germany
Message 33584 - Posted: 28 Jun 2010, 21:32:20 UTC - in response to Message 33582.  

================================================================

C:\WINDOWS\BONC.scr has permission to \Device\Afd\Endpoint
================================================================

Just in case someone tries a copy&paste: shouldn't that read
C:\WINDOWS\BOINC.scr has permission to \Device\Afd\Endpoint
?

Gruß,
Gundolf
ID: 33584 · Report as offensive
Professor Ray

Send message
Joined: 31 Mar 08
Posts: 59
United States
Message 33587 - Posted: 29 Jun 2010, 1:19:11 UTC - in response to Message 33584.  
Last modified: 29 Jun 2010, 1:30:19 UTC

Oh, BONC my head - and facepalm - you are correct. Not only that I didn't notice the missing 'i' initially.

Anywys, the reference is to computer security, access rights - protected files/folders - for C:\Windows\BOINC.scr Its something that Comodo configured automatically based on some alert to which I replied, 'allow' and 'remember this'.

However, now that you bring that up, I see that both of those have the same access right specified. Since there's nothing unique between the two, I can establish that access right for the BOINC SCR file-group, delete the separate entries for BOINCScr.exe & BOINC.scr; the same thing will be accomplished with one profile rather than separate enties for each app.
ID: 33587 · Report as offensive

Message boards : Questions and problems : BOINC firewall rules

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.