tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Oinn <>
Subject Re: Destination Port for mod_jk
Date Fri, 14 Sep 2001 15:54:33 GMT

David Smith wrote:
> I believe it's the same as a conversation between your web browser and
> Apache.  When Apache makes a request of Tomcat, it uses the first available
> port on the local machine to open a connection to Tomcat.  In a linux box,
> check /proc/sys/net/ipv4/ip_local_port_range for the range of available
> ports.  Tomcat will reply back on the same port.  If you really want firewall
> security that tight, you might want to check into stateful inspection on the
> Apache server.  There, the ports are opened based on outgoing requests and
> closed when the connection is closed.   I believe iptables supports this
> using the state match extension module, but you'll have to check the docs
> since I've never tried it.
> My thoughts on the subject -- anyone else?

Assuming that each machine can reasonably trust the other, you could
add a completely isolated network interface to each machine, and set
up the apache and tomcat to use this interface, effectively you have
no security constraints on the interfaces between the two servers and
all your firewalling goes on on the machines' primary interfaces to
the rest of the world. We have a similar system with tomcat / oracle
machines and it seems simple and secure enough.

Tom Oinn

> --David Smith
> On Wednesday 12 September 2001 05:32 pm, you wrote:
> > Hello,
> >
> > I'm setting a pair of machines, one of which is running tomcat, and the
> > other of which is running apache.  I am using ajp13 to connect the two
> > machines, and am trying to configure an iptables firewall on the apache
> > machine (the tomcat machine will be next).
> >
> > The roadblock that I'm running into is that I don't know which ports
> > will be used as the destination ports on the apache machine when tomcat
> > replies.  The ports that I set up in server.xml and in
> > are the source of my replies...
> >
> > Looking at my syslog log file, I see that I'm getting information sent
> > to ports 32769 up through 32792 (and maybe even more, I haven't looked
> > through them that much yet).  An example line is included below:
> >
> > Sep 12 11:42:51 web1 kernel: INT_IN DROP 7 IN=eth1
> > OUT=MAC=00:30:48:11:69:a8:00:b0:d0:e1:cc:0f:08:00 SRC=
> > DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> > SPT=8011 DPT=32794 WINDOW=5792 RES=0x00 ACK SYN URGP=0
> >
> > Where is this port configured (if it's configurable)?  Or, does anyone
> > know which ports I need to be leaving open?
> >
> > Thanks very much for any help!
> >
> > Sincerely,
> >
> > Scott

View raw message