SuomiNet Support SuomiNet
Realtime
Results


SuomiNet Support
Back To Home Page
SuomiNet Realtime Results
SuomiNet Realtime Site
SuomiNet Sites
Site List
Site Installation Instructions
GPS Receiver and Computer Installation
Access SuomiNet Data
Using LDM Service
Directly Access Data
SuomiNet Related Instructions
SuomiNet Equipment Information
Configurations
GPS Receiver
GPS Antenna
GPS Antenna Cable
GPS Antenna Monument
Meteorological Package
System Computer
SuomiNet Network Rules
University Cost-Share Equipment
SuomiNet Participation Procedure
How to Proceed
Additional SuomiNet Information
* UNIDATA SuomiNet Page
* GPS Receiver and Antenna Testing Report for SuomiNet
* Trimble SuomiNet Press Release
* UNAVCO Support for SuomiNet, a GPS Network for Atmospheric Sensing
* SuomiNet Efforts in the US Southern Great Plains
* GPS Sensed Small Scale Water Vapor Variability in the Southern Great Plains
* Impact of GPS-Based Water Vapor Fields on Mesoscale Model Forecasts

SuomiNet Network Rules

SuomiNet sites must be on a network. Time synchronization using the NTP protocol is required. Sites must have 24/7 internet connection to allow automated data transfer via the LDM developed by UNIDATA. All the SuomiNet sites must comply with the LDM port requirements regardless of whether they have a firewall installed. If they cannot comply with these standards, then LDM cannot be used to transfer data. We are not allowing exceptions to LDM data transfer. We are also requiring that we be able to ssh into the participants' SuomiNet computers.

For LDM to run properly behind a firewall, the firewall must allow port 388 to be open for TCP packets. See Network Security and Set-up .

Ssh access from subnets *.cosmic.ucar.edu and unavco.org must be allowed on the cpu. (Suominet cpu's are configured at UNAVCO to allow ssh only from these subnets via the hosts.allow files.)

Port 22 must be allowed. When the suominet cpu is installed behind a firewall the firewall must allow Port 22.

On Linux systems Portmap can use tcpd to allow only specific connections. See the man pages for more details. You should implement portmap in the tcpd "host.allow" file (host.deny should already deny any connection that is not explicitly allowed).

From the LINUX man page: man portmap

....This portmap version is protected by the tcp_wrapper library. You have to give the clients access to portmap if they should be allowed to use it. To allow connects from clients of the .bar.com domain you could use the following line in /etc/hosts.allow: portmap: .bar.com You have to use the daemon name portmap for the daemon name (even if the binary has a different name). For the client names you can only use the keyword ALL or IP addresses (NOT host or domain names). ....

Example situation UCAR:

A firewall is installed. Most cpu's behind the firewall have port 388 blocked to the outside world, but open to UCAR subnet IP#'s
UCAR has designated "semi exposed" hosts which have port 388, the ssh port (22) port 111, the ftp port, and some other ports open. A local group system  administrator designates a machine as semi exposed by setting the last part or local IP# within a range of designated #'s. The router allow ports 388, 22, etc. for these semi exposed hosts to the world at large. The local group system administrators are responsible for installing sufficient security on the semi exposed host cpu's. LDM traffic other than UCAR to UCAR is handled on one of these semi exposed hosts.

Suominet cpu's have security patches installed before leaving UNAVCO, as well as the Linux OS, LDM, JSTREAM, ssh, and other functions needed to operate as Suominet cpu's.   If  Suominet cpu's should be behind a firewall, the firewall must either allow port 388 and port 22 to all cpu's behind that firewall -or- the Suominet cpu must be in a semi exposed host category behind the firewall and the router programmed to allow ports 388, and 22 (111 recommended) to semi exposed hosts. We are recommending that Suominet cpu's be set up in a semi exposed configuration (only a subset of ports opened) rather than being totally outside of any local firewalls. If the local system administrator feels that additional security is necessary they can limit the outside world IP#'s allowed to use these ports at the subnet level. A list of IP subnets that must be allowed access to the Suominet cpu ports 388 and 22 is being compiled and will be provided on request.

The IP# and name.subnet.univeristy.edu which will be assigned to the suominet cpu must be specified before the cpu is shipped so that we can correctly configure LDM.

  Comments: webmaster@cosmic.ucar.edu
  Last Modified: Oct, 2003    © Copyright