Joined: 28 Jun 10
Where could I find list of hosts IP addresses (dns names) and used ports information to build the hardware firewall rules to allow BOINC client to communicate with BOINC servers itself and the projects servers?
Joined: 29 Aug 05
BOINC uses TCP ports 80 and 443 to communicate with projects.
As for a list of project servers, that's a little difficult. The addresses you use on the outside, e.g. http://setiathome.berkeley.edu/ aren't used in BOINC. In the master file that BOINC gets from the projects there's a redirect to the correct server address. That address is a CGI server which connects to the correct server internally. None of those addresses are stored anywhere with your client.
This same thing goes for the monthly contact with the BOINC server, to check for a new projects list file.
Joined: 31 Mar 08
I've had to establishe network & computer security rules for Comodo Internet Security and so have had to address this issue. I created a zone for BOINC hosts. The host names can be gleaned from the BOINC message list. For example, the associated URL message for Rosetta is:
6/27/2010 10:35:02 PM rosetta@home URL http://boinc.bakerlab.org/rosetta/; Computer ID 1235227; resource share 100
The entry in the BOINC host zone is:
boinc.bakerlab.org and I added into the BOINC Host-zone the URL host name for each project I participate in.
Then there are zones created for the various BOINC data-servers, either WU or result. Not every project requires a unique zone for this. However, I've discovered that the following zones are necessary:
Range - 188.8.131.52/140.142.20/125
Range - 184.108.40.206/220.127.116.11
range - 18.104.22.168/22.214.171.124
range - 126.96.36.199/188.8.131.52
NOTE: the latter zone is utilized cross project to ascertain internet connectivity and determine whether any arbitrary project may be down or not. All IP in that zone resolve to 1e100 domain names. Of the 19 projects I participate in, those are the only proeject specific zones necessary.
I've created the following file-groups:
BOINC.exe needs these permissions:
UDP out from NIC to DNS src port any to port 53
TCP out from NIC to BOINC Hosts src port any to port 80
TCP out from NIC to Einstein Data src port any to port 80
TCP out from NIC to Lattice Data src port any to port 80
TCP out from NIC to Rosetta Data src port any to port 80
TCP out from NIC to SETI Data src port any to port 80
TCP out from NIC to BOINC Net src port any to port 80
BOINC SCR file-group needs these permissions:
TCP out from local_0 to local_127 src port-set BOINC to dest port 31416
The BOINC src port-set is defined as:
NOTE: Local 0 is a zone defined as 0.0.0.0 and local_127 is a zone defined as 127.0.0.1. Every once in a while the BOINC SCR file group wants to establish TCP out from local_0 to local_127 with src port not in the list. I allow it and add the new port into the port-set.
The 'BOINC Projects' file-group is configured as 'installer/updater' - canned Comodo permissions profile.
E:\BOINC\BOINCmgr.exe has execute permission to the following:
BOINC SCR (file-group)
C:\Program Files\Internet Explorer\iexplorer.exe
E:\BOINC\BOINCmgr.exe has WINDOWS\WinEvent hooks permissions for E:\BOINC\BOINCmgr.exe
E:\BOINC\BOINCmgr.exe has process termination permission for:
E:\BOINC\BOINCmgr.exe has Windows Messages permission
E:\BOINC\BOINCmgr.exe has permission to the following protected registry keys:
E:\BOINC\BOINCmgr.exe has permission to \Device\Afd\Endpoint
E:\BOINC\BOINCmgr.exe has DNS Client Services permission
BOINC.exe has execute permissions to 'BOINC Projects'
BOINC.exe has termination permissions to 'BOINC Projects'
BOINC.exe has permissio to the following protected registry keys:
BOINC.exe has permission to the following folders:
BOINC.exe is permitted DNS Client Services
E:\BOINC\BOINCscr.exe has permission to \Device\Afd\Endpoint
C:\WINDOWS\BONC.scr has permission to \Device\Afd\Endpoint
BOINC pretty much starts, stops, executes any project, updates and suspends any project I participate in. Furthermore, connection to all BOINC web-sites through the BOINC Manager is unhindered. The only aspects of BOINC that are not comprehensively configured are BOINC graphics (per project) and the screen saver; I do not use these features. There may be computer security configuration issues specific to each individual graphics executable, but those are easily enough addressed by clicking 'allow' and 'remember this' whenever the associated Comodo alert presents itself.
I'm virtually un-bothered by any alerts from Comodo whatsoever (except for occasional new ports alluded respecting the BOINC SCR file-set, and a new IP connection attempt that resolves to an 1e100 domain name). Also, every once in a great while, a new IP for one of the BOINC projects manifests itself.
Joined: 20 Dec 07
Just in case someone tries a copy&paste: shouldn't that read
C:\WINDOWS\BOINC.scr has permission to \Device\Afd\Endpoint?
Joined: 31 Mar 08
Oh, BONC my head - and facepalm - you are correct. Not only that I didn't notice the missing 'i' initially.
Anywys, the reference is to computer security, access rights - protected files/folders - for C:\Windows\BOINC.scr Its something that Comodo configured automatically based on some alert to which I replied, 'allow' and 'remember this'.
However, now that you bring that up, I see that both of those have the same access right specified. Since there's nothing unique between the two, I can establish that access right for the BOINC SCR file-group, delete the separate entries for BOINCScr.exe & BOINC.scr; the same thing will be accomplished with one profile rather than separate enties for each app.
Copyright © 2022 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.