tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From OG <>
Subject Blocking AJP13 (port 8009) access
Date Tue, 14 Feb 2006 07:47:17 GMT

I'm trying to block external access to port 8009 (AJP13), as only my local host really needs
to be able to talk to it.
I'm wondering if there are any internal/mod_jk mechanisms for that, or if iptables is the
best option.

I have tried iptables, which did block external requests, but it also got me in a situation
where I had a few hundred httpd processes in a SYN_SENT state ( netstat | grep 8009 | grep
-c SYN_SENT ) and returning 503s instead of 200s:

iptables -A INPUT \
     -p TCP --dport 8009 \
     -m state --state NEW \
     -j DROP
iptables -A INPUT \
     -p UDP --dport 8009 \
     -m state --state NEW \
     -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT

If anyone has iptables rules that work, I'd appreciate it if you could share them.

I'd also be curious to know whether people use some other mechanisms to prevent evil folks
from connecting to your port 8009 from the outsite and consuming your available connections.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message