tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From OG <ogjunk-tom...@yahoo.com>
Subject Blocking AJP13 (port 8009) access
Date Tue, 14 Feb 2006 07:47:17 GMT
Hi,

I'm trying to block external access to port 8009 (AJP13), as only my local host really needs
to be able to talk to it.
I'm wondering if there are any internal/mod_jk mechanisms for that, or if iptables is the
best option.

I have tried iptables, which did block external requests, but it also got me in a situation
where I had a few hundred httpd processes in a SYN_SENT state ( netstat | grep 8009 | grep
-c SYN_SENT ) and returning 503s instead of 200s:

iptables -A INPUT \
     -p TCP --dport 8009 \
     -m state --state NEW \
     -j DROP
iptables -A INPUT \
     -p UDP --dport 8009 \
     -m state --state NEW \
     -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT


If anyone has iptables rules that work, I'd appreciate it if you could share them.

I'd also be curious to know whether people use some other mechanisms to prevent evil folks
from connecting to your port 8009 from the outsite and consuming your available connections.

Thanks,
Otis


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message