tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Destination Port for mod_jk
Date Fri, 14 Sep 2001 15:12:45 GMT
I believe it's the same as a conversation between your web browser and 
Apache.  When Apache makes a request of Tomcat, it uses the first available 
port on the local machine to open a connection to Tomcat.  In a linux box, 
check /proc/sys/net/ipv4/ip_local_port_range for the range of available 
ports.  Tomcat will reply back on the same port.  If you really want firewall 
security that tight, you might want to check into stateful inspection on the 
Apache server.  There, the ports are opened based on outgoing requests and 
closed when the connection is closed.   I believe iptables supports this 
using the state match extension module, but you'll have to check the docs 
since I've never tried it.

My thoughts on the subject -- anyone else?

--David Smith

On Wednesday 12 September 2001 05:32 pm, you wrote:
> Hello,
>
> I'm setting a pair of machines, one of which is running tomcat, and the
> other of which is running apache.  I am using ajp13 to connect the two
> machines, and am trying to configure an iptables firewall on the apache
> machine (the tomcat machine will be next).
>
> The roadblock that I'm running into is that I don't know which ports
> will be used as the destination ports on the apache machine when tomcat
> replies.  The ports that I set up in server.xml and in
> workers.properties are the source of my replies...
>
> Looking at my syslog log file, I see that I'm getting information sent
> to ports 32769 up through 32792 (and maybe even more, I haven't looked
> through them that much yet).  An example line is included below:
>
> Sep 12 11:42:51 web1 kernel: INT_IN DROP 7 IN=eth1
> OUT=MAC=00:30:48:11:69:a8:00:b0:d0:e1:cc:0f:08:00 SRC=192.168.1.32
> DST=192.168.1.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=8011 DPT=32794 WINDOW=5792 RES=0x00 ACK SYN URGP=0
>
> Where is this port configured (if it's configurable)?  Or, does anyone
> know which ports I need to be leaving open?
>
> Thanks very much for any help!
>
> Sincerely,
>
> Scott

Mime
View raw message