[ipac] ports open on HIP server

Michael Silver msilver at prl.ab.ca
Tue Aug 5 18:54:18 EDT 2008 

Howdy,

> I know there are a lot of different documents floating around, and
> we've talked about this before, but I thought I'd put together a
> comprehensive list of ports that should be listening on the HIP
> server (in the DMZ).  Unfortunately, I didn't note what should be
> available from inside and/or outside traffic.  Can anyone comment
> on their experiences?
> 
> Here's my list (for the HIP server):
> 80 HTTP/JSP server
Web server - listens for requests from clients inside and outside the
library

> 210 Z39.50 server
ZServer - listens for requests from clients inside and outside the
library 

> 220 IMAP3
Mail connection - I don't know of any reason to have IMAP running on the
HIP server. It basically is used to check email, not to send it. As I
understand it, HIP will initiat outgoing SMTP connections to the defined
mail server on the standard SMTP port, but it's still an outgoing
connection. That means there doesn't need to be an open listening port.

> 222 HIP Admin tool
HIP admin for administrators

> 3050 Interbase/Firebird
> 3060 Interbase/Firebird
Unless you're using client programs to access the database from remote
computers (like querying the database for statistics, etc), the Firebird
port just needs to be open for connections from the HIP server itself.
WebReporter may access it directly, but we don't have WR so I can't
speak intelligently about it. I do use other tools on my computer to
connect to the Firebird server.

It should not be open to the outside world.

> 1099 requests from Horizon
> 4444 requests from Horizon
> 9999 requests from Horizon
These ports should be listening for connections from the Horizon
Launcher program on client computers. The Horizon server doesn't
initiate communications with HIP.

> 4545 XSL
Unless you're running multiple HIP servers that use the XSL processor,
this port only needs to respond to requests from the HIP server itself. 

If you have multiple XSL processors running on the server, you'll have
multiple ports. We have two running, with the second on port 4546. By
memory, this seems to be the port SD recommends for a second XSL
processor.

> 8082 local
> 8083 local
No idea.

> 12501 indexing service
> 12502 search server
> 12503 dynamic indexing
These ports are a little more of a black box to me. I think 12501 is the
port the index server listens on for the mass indexer or dynamic indexer
to connect to. As I understand it, the dynamic indexer connects to the
index server which writes to the indexes. 

12502 listens for searches from HIP, and uses the indexes directly to
answer them.

I'm not sure what 12503 does. The processes shown by netstat -nap and ps
ax -H (which shows a cool view of parent and child processes) show it as
being 12503 being used by a java process started as a child of the
dynamic indexer. 

One other note - some of the services bind to the loopback
interface(127.0.0.1) and some to the Ethernet interface. If you get
fancy with iptables on your HIP server, make sure you allow the right
one (or both to be safe!).

Hope this helps,
Michael

Michael Silver, Network Administrator 
Parkland Regional Library 
5404 56 Avenue Lacombe, AB T4L 1G1 
Phone: 403.782.3850    Fax: 403.782.4650
http://www.prl.ab.ca/  msilver at prl.ab.ca

More information about the ipac mailing list