Hi Robert, > On 15 Jan 2018, at 12:23, Robert Kisteleki <[email protected]> wrote: > > On 2018-01-15 13:09, Tim Chown wrote: >> Hi, >> >> At >> https://atlas.ripe.net/about/faq/#so-which-services-do-i-need-for-my-probe-to-work >> >> it says >> >> "The absolute minimum set is DHCP, DNS and outgoing TCP port 443 (HTTPS) in >> order to allow the probe to connect to the network. However, this in itself >> is not enough to do measurements, which is the entire focus of RIPE Atlas, >> so you should also allow ICMP, UDP (DNS + traceroute), TCP for traceroute >> and HTTP(S)." >> >> What specific ports and protocols are required for routine operation and for >> inbound or outbound measurements to be configured? I think the above info >> could be a little more detailed (having had questions asked of me). >> >> Many thanks, >> Tim > > Hi, > > The more precise we try to be, the more wrong we'll end up being :-) but > I'll try to be a bit more specific. > > For incoming traffic: the probes don't provide real accessible services, > so incoming ICMP/ping and UDP/traceroute is probably enough (assuming > the probe is otherwise not firewalled / NATed).
I think some probes we'd like to run tests to are behind a firewall, hence the interest on what's required as a minimum for at least basic connectivity tests. I'll follow up directly with a couple of specific examples rather than cite them here. > For outgoing traffic: the more you allow, the more measurements will > have a chance of succeeding. For example, if you only allow TCP/443 out, > then measurements to other ports (like TCP/traceroute or TLS to non-443) > will likely fail. Allowing outgoing DNS to any server is a must in order > to be useful for non-local-resolver queries. And so on. OK, thanks. A tweak to the FAQ along those lines would be good, I think :) > We also have NTP since the writing of the above FAQ entry, and HTTP > towards anchors. While the requirements (or, I should say, > recommendations) don't change each day, they do evolve over time. Understood, and thanks again. Tim > > Hope this helps! > Robert >
